[BreachExchange] Up to $150K for Victims of Flowers’ Healthcare Data Breach

[Destry Winant]

https://healthitsecurity.com/news/up-to-150k-for-victims-of-flowers-healthcare-data-breach

July 25, 2018 - More than 1,200 people could receive up to $150,000 in
payments following the tentative settlement of a class-action lawsuit
against Alabama-based Flowers Hospital for a 2014 healthcare data
breach, TV station WTVY reported on July 23.

Back in 2014, Kamarian Millender, a former Flowers Hospital lab
technician, was indicted on charges that he stole patients’ PHI as
part of an alleged tax fraud scheme from June 2013 to February 2014.
Millender pled guilty to stealing the records and served time in
prison.

The breach compromised patient names, addresses, dates of birth,
Social Security numbers, and health plan policy numbers. The hospital
sent data breach notification letters on April 15, 2014.

Dig Deeper

Allscripts Wants Ransomware Attack Class-Action Lawsuit Dismissed
Children’s Mercy Faces Lawsuit Over Healthcare Data Breach
Class-Action Lawsuit Filed after Allscripts Ransomware Attack

Affected patients filed a punitive class-action lawsuit in federal
court, referencing a violation of the Fair Credit Reporting Act and
increased risks of identity theft and medical fraud.

Under the tentative settlement, those who were affected by the breach
would be reimbursed out-of-pocket credit monitoring costs and receive
up to four hours in lost wages. They would also be paid interest on
delayed tax refunds caused by the data breach, TV station WTVY
reported.

The cap on damages is $5,000 per person and $150,000 total for all
claims. All claims must be filed by December 13. No punitive damages
will be awarded.

If a federal judge approves the plan, the agreement would end the
four-year old suit against Flowers Hospital.

In response to the original suit, Flowers Hospital filed a motion to
dismiss it, arguing that the plaintiffs had failed to link the data
breach to any actual economic harm they had suffered and the claims
lacked standing. However, the judge allowed the plaintiffs to amend
their complaint, which also meant that the motion to dismiss would not
carry over to the updated filing.

“Any motion to dismiss filed in response to plaintiffs’ amended
complaint, and any response in opposition thereto, shall fully set
forth any arguments in support of or in opposition to such motion, and
shall not simply renew or incorporate arguments made in previous
motions and responses thereto,” the judge wrote.

Two recent class action lawsuits highlight the legal jeopardy that
healthcare organizations place themselves by having inadequate
security programs.

In January, EHR vendor Allscripts suffered a SamSam ransomware attack
that prevented around 1,500 customers from accessing its cloud EHR
applications.

“The affected tools are part of a patient engagement platform and are
used to support and connect 45,000 physician practices, 180,000
physicians, 19,000 post-acute agencies, 2,500 hospitals, 100,000
electronic prescribing physicians, 40,000 in-home clinicians, and 7.2
million patients,” a report by HHS concerning the SamSam ransomware
threat stated.

One of its customers, Florida-based Surfside Non-Surgical Orthopedics,
filed a class-action lawsuit against Allscripts, arguing that it
suffered economic damage and other harm from the interruption in
Allscripts services.

“This attack hurt both patients and their healthcare providers using
the Allscripts systems in that providers were unable to e-prescribe
drugs, and patients were unable to obtain drugs e-prescribed for them
by those providers,” the Surfside lawsuit stated.

“Allscripts breached its duties by failing to implement, monitor, and
audit the security of its data and systems, resulting in a ransomware
attack that significantly impeded and/or prevented its clients’
ability to conduct business,” the class-action lawsuit stated.

Allscripts is asking a judge to dismiss the Surfside class-action lawsuit.

In addition, Missouri-based Children’s Mercy Hospital is facing a
class action lawsuit  for a data breach that affected more than 60,000
individuals earlier this year.

The law firm of McShane and Brady filed the lawsuit, accusing
Children’s Mercy Hospital of breaching its fiduciary duty to protect
patient privacy under Missouri law.

The information possibly accessed by hackers included patient names,
medical record numbers, dates of hospital stays and procedures,
diagnoses and conditions, and other clinical information.

Children’s Mercy reported to OCR in January that 63,049 individuals
were affected by the breach.

This is the fourth class action lawsuit McShane and Brady has filed
against Children’s Mercy over a patient data breach.

It behooves healthcare organizations to beef up their security
programs and practices to avoid the immediate costs of a data breach
or ransomware attack and the possible longer term costs of
class-action lawsuits.