The end may now be in sight for a four-year-long legal battle for individuals affected by a 2014 healthcare data breach. While the settlement has not yet received final court approval, the tentative settlement of the class-action lawsuit could provide more than 1,200 affected individuals of the 2014 Flowers Hospital data breach up to $150,000 in payments.
The breach, which was caused by an insider occurred when a former employee of the Alabama-based hospital stole patients’ PHI to use for identity theft and a tax fraud scheme. Kamarian D. Millender, the former lab technician responsible for the breach admitted to stealing the records and was sentenced to two years in jail. The records were stolen from June 2013 to February 2014 and included patient names, addresses, dates of birth, and health plan policy numbers.
The class-action lawsuit was filed in 2014 and argued that Flowers Hospital did not appropriately safeguard paper records leaving them exposed to employees and third parties which increased their risk of identity theft and medical fraud. The lawsuit also referenced a violation of the Fair Credit Reporting Act.
The Tentative Settlement
While Flowers Hospital had a failed attempt to dismiss the case following the original suit, the decision to settle has now been made, which would cap damages at $5,000 per person and will not exceed $150,000 total. These funds would cover out-of-pocket expenses for the victims of the breach if a valid claim is provided indicating the victim purchased credit-monitoring or identity theft protection services following the breach notification. Victims will be eligible for up to four hours of documented time spent obtaining those protection/monitoring services as well as any unreimbursed interest for a delayed tax refund because of a fraudulent tax return being filed from the date the records were inappropriately accessed (June 2013) and the date of the claims deadline.
What Makes the Flowers Hospital Settlement Different?
There are many things that set the Flowers Hospital breach apart from many other breaches, starting with the source of the breach. Typically, class action lawsuits involving exposure or theft of PHI are a result of data being exposed and stolen by a hacker, whereas this incident was a direct result of stolen patient records by an employee.
Insider threats are often overlooked but should a top concern for organizations. Many times, organizations put all of their focus on protecting themselves against external threats that they overlook the very real risk that their own employees will cause their next breach.
In addition, it is likely that the breach at Flowers Hospital could have been avoided had an appropriate HIPAA program been in place. A robust HIPAA compliance program should include a HIPAA risk assessment to help identify compliance vulnerabilities, the development and assistance in implementing policies and procedures, education, and on-going training.
Another interesting component of this breach is that the monetary losses suffered by Flowers Hospital are not a result of a fine issued by Health & Human Services Office for Civil Rights, but rather losses suffered through the class action lawsuit. These monetary losses serve as an important reminder that even if you suffer a breach and escape a fine by OCR, that does not necessarily mean you won’t suffer monetary losses. Those losses could come as a result of a lawsuit or could be from something such as loss of business due to reputation damage caused by the incident.
The breach of patient records at Flowers Hospital occurred in 2014 and is just now nearing the end of its legal battle. Remember, a breach can leave a long-lasting effect on your organization and just because time passes, that does not mean it has been swept under the rug.
Taking the appropriate steps to protect your organization from both insider and outsider threats will go a long way in ensuring your organization knows how to prevent breaches, but also knows how to respond to them when they do occur.