Yet Another Class-Action Filed After Breaches of Patient Data
In what appears to be the trend in California for 2011, another class-action lawsuit has been filed, this time by patients of the University of California-Los Angeles (UCLA) Health System affected by a data breach in early September of this year. An external hard drive was stolen from the home of a former UCLA physician that contained the EHR data of over 16,000 patients from July 2007 to July 2011. No social security numbers, insurance information or credit/account information was included. Although the hard drive was encrypted, a piece of paper with the password was also missing.
Filed in mid-December, the UCLA class-action seeks as much as $16 million, asking $1,000 for each member as well as attorneys fees and other costs. The underlying data breach is hardly the first headache UCLA has had to dealt with, as UCLA paid a handsome $865,500 fine to OCR and developed a plan of corrective action this summer to settle privacy allegations that three UCLA hospitals improperly disclosed the medical records of celebrity patients as a result of employee snooping.
Several other health care entities in California have also recently had class-action lawsuits filed against them recently. Stanford Hospital and Clinics (SHC) experienced a data breach in August of 2011 when patient information was mistakenly made available online by one of its third-party vendors and its subcontractor. Patient names, admittance and discharge dates, and other information remained available on a commercial website for over one year, affecting approximately 20,000 patients. The class-action lawsuit was filed in October of 2011 and alleges negligence in safeguarding patient information and delays in notifying affected patients.
Sutter Health experienced a data breach in October of 2011 when a rock was thrown into the window of the Sutter Medical Foundation business office. An unencrypted computer was stolen containing names, addresses, birthdates, phone numbers, medical diagnoses and procedures of over 4 million patients. The class-action lawsuit against Sutter Health was filed in late November on behalf of over 900,000 patients, according to KCRA, and seeks certification of class-action status for the 4+ million patients affected.
Notably, HIPAA does not authorize private causes of action for violations of the HIPAA Privacy and Security Rules. The class-action lawsuits were brought under California's confidentiality laws, which, like HIPAA, set forth permissible and prohibited disclosures of patient medical information.
The California Confidentiality of Medical Information Act gives individuals the right to bring a cause of action for negligent releases of their confidential information or records. it also grants compensatory and punitive damages, as well as certain attorney fees, to individuals who have suffered economic loss or personal injury from a violation of their confidentiality. In addition, persons and entities face stiff administrative penalties for violations of patient information up to $2,500 per violation for negligent disclosures and $10,000-$25,000 for subsequent violations.