Class Action Sought for Charleston Area Medical Center Breach
Patients affected by a West Virginia hospital breach that went undetected for several months are seeking certification as a class action as reported by Health Data Management. Five of the approximately 3,655 affected patients have filed suit against the Charleston Area Medical Center in circuit court seeking damages based on four counts:
- breach of confidentiality
- negligence
- invasion of privacy by intrusion on seclusion
- invasion of privacy by unreasonable publicity of private life
The lawsuit, Tabata v. Charleston Area Medical Center, stems from the availability of a database containing patient names, social security numbers, medical information and demographic information on the Internet. A family member of a patient had found the information while searching the web.
Although the database was created in September of 2010 by a third party for patient case management in a research subsidiary of the hospital, the fact that it had inadvertently been made publically available went unnoticed until February 2011. However, the hospital acted quickly upon being made aware of the breach and promptly notified all potentially affected patients within 8 days.
The hospital had originally offered to pay for one year of credit monitoring as well as an immediate credit freeze at the three credit bureaus for all affected patients. Free credit reports were also made available to affected patients through the West Virginia Attorney General’s Office. In addition, after discussion with the Attorney General’s Office, the hospital hired a risk management group to conduct a security assessment and undertook a number of other measures to protect against further breaches.
The patients seek as part of the damages for the hospital to extend additional credit and identify protection and monitoring services. They also ask the court to require that the hospital establish a specific security program as well as award monetary damages for annoyance, embarrassment and emotional distress, and for the lack of security and violation of their privacy.
Although it is unclear yet what repercussions the hospital may face from the Department of Health and Human Services for the breach, the breach and accompanying lawsuit highlight the importance of monitoring business associates who have access to PHI and the resulting work product. In addition, frequent and periodic security assessments are crucial to identifying issues before an incident or breach occurs. A robust and proactive security assessment coupled with a strong information security program will go a long way towards effectively safeguarding patient electronic PHI as well as cutting costs associated with incident-response.
