A class action lawsuit has been filed in the Kanawha Circuit Court against Charleston Area Medical Center, for a data breach that occurred between August 2013 and February 2014.
The lawsuit has been filed by two plaintiffs who were patients of the medical center at the time of the data breach. Tiffany Mallion and Nickole Pullen claim they entered into an agreement with the hospital to receive treatment, but that the agreement also included securing their health information. They allege their Protected Health Information (PHI) was exposed as a result of a number of security failures at the medical center.
It is alleged that the protections put in place to secure data were insufficient, and left highly sensitive information “unprotected, unguarded and unsecured.” A catalog of security failings have been cited, such as a failure to train staff on privacy and data security matters, a failure to protect data, as well as a lack of physical protections to secure the equipment on which the data was stored. As a result, the plaintiffs claim “their physician-patient confidential relationship has been breached.”
Under the Health Insurance Portability and Accountability Act, all covered entities are required to implement physical, administrative and technical safeguards to keep stored data secure. HIPAA does not specify the exact protections that must be put in place; instead this is left to the discretion of the covered entity.
HIPAA also requires covered entities to respond to data breaches in a timely manner, and notify patients of a data breach “without unnecessary delay,” and certainly within 60 days of the discovery of a data breach. The plaintiffs allege that HIPAA Rules have been violated after the medical center failed to notify patients within the allowable timescale.
The data breach was discovered in February 2014. Under HIPAA Rules, breach notification letters should have been sent to the victims in April. The plaintiffs claim they did not received their letters until May 2014, more than two years after their records were first breached.
The delay in notification placed the plaintiffs at an increased risk of suffering identity fraud, and stopped them from taking precautions to secure their credit and identities. It is not clear if the plaintiffs actually suffered any harm or damage as a result of the breach. Class certification and compensatory damages are being sought by the two patients.