Share this article on:

A woman in Alabama has been awarded $300,000 in damages after a doctor illegally accessed and disclosed her protected health information to a third party.

Plaintiff Amy Pertuit filed a lawsuit against Medical Center Enterprise (MCE) in Alabama, a former MCE physician, and an attorney over the violation of her privacy in January 2015.

According to lawyers for the plaintiff, Amy Pertuit’s husband was experiencing visitation issues and was involved in a custody battle with his former wife, Deanna Mortenson.

Mortenson contacted Dr. Lyn Diefendfer, a physician at MCE, and convinced her to obtain health information about Amy Pertuit for use against her husband in the custody battle. The information was disclosed to Mortenson’s attorney, Gary Bradshaw.

Dr. Diefendfer accessed Pertuit’s records through the Alabama Prescription Drug Monitoring Program website. Since Dr. Diefendfer had no treatment relationship with Pertuit, she was not authorized to access her medical information. The access and disclosure were violations of hospital policies and HIPAA Rules.

After discovering that her health information had been disclosed, Pertuit lodged a complaint with the Department of Health and Human Services’ Office for Civil Rights which put the hospital on notice. However, the hospital failed to implement appropriate sanctions against Diefendfer. Dr. Diefendfer is alleged to have accessed further health information in 2016 and again disclosed that information to Bradshaw.

The plaintiff’s lawyers also said that the hospital’s privacy officer had investigated Dr. Diefendfer and discovered 22 separate violations of hospital policies and HIPAA Rules.

The lawsuits filed against Dr. Diefender, Deanna Mortensen, and Gary Bradshaw were all settled out of court. The case against MCE went to a jury trial.

The jury unanimously found that MCE had failed to take appropriate action against Dr. Diefender after the discovery of the privacy violation, and awarded the plaintiff $295,000 in punitive damages and a further $5,000 as compensation for pain, suffering, and humiliation.

Follow Us

Share this article on:

The dust has barely settled after the news of the massive data breach at American Medical Collection Agency (AMCA) broke last week, but already more than a dozen lawsuits have been filed by victims of the breach.

The breach was officially announced by Quest Diagnostics on June 3, 2019 through a 8-K filing with the Securities and Exchange Commission (SEC), and a SEC filing by LabCorp on June 4, 2019, shortly followed by BioReference Laboratories. Currently, the personal of up to 20 million individuals has potentially been compromised.

The data breach at AMCA was identified by security researchers at Gemini Advisory who found a batch of 200,000 payment card numbers for sale on a popular darknet marketplace. The numbers included dates of birth and Social Security numbers. AMCA and law enforcement were notified, and systems were secured. However, the investigation revealed hackers had access to its web payment portal for 7 months.

It would appear that the hackers behind the breach have at least made an effort to monetize some of the stolen data so it is no surprise that there has been a flurry of class action lawsuits filed on behalf of victims of the breach. Plaintiffs in the lawsuits claim to have been harmed as a result of the data breach.

Most of the lawsuits name one or more of the laboratories where testing occurred – Quest Diagnostics, LabCorp and BioReference Laboratories. A small number also name AMCA and the company Optum360. Optum360 was a business associate of Quest Diagnostics. Under certain circumstances, when a patient did not pay a bill, Quest Diagnostics sent the patient’s information to Optum360, which passed the data to AMCA for collection.

Several of the class action lawsuits allege negligence and breach of implied contract for failing to secure personal information. One complaint alleges the use of encryption and the adoption of national and industry standards were warranted to prevent reasonably foreseeable harm to patients. However, even though the defendants had the funds available to implement controls to prevent the breach, they failed to adequately invest in their security programs.

The lawsuits allege various violations of state laws and are seeking damages, monetary relief, and penalties to be issued over the privacy violation.

Only a small percentage of the individuals have been notified about the breach by AMCA – mostly individuals who had their financial information exposed. The healthcare organizations that provided AMCA with health information are still waiting to receive details of all individuals affected. As more notification letters are sent, is likely that the numbers of affected individuals in these class-action lawsuits will swell and further lawsuits will be filed.

In addition to battling the class action lawsuits, all of the entities involved now face scrutiny by state and federal regulators and Congress. The breach will certainly be investigated by the HHS’ Office for Civil Rights to determine whether HIPAA Rules have been violated. So far, at least six state attorneys general have launched investigations into the breach: Michigan, New York, Minnesota, North Carolina, Illinois and Connecticut and have demanded answers about the breach.

If the investigations do uncover noncompliance with state or federal laws, financial penalties may be pursued. Already this year, state attorneys general have joined forces and filed a multi-state HIPAA lawsuit against Medical Informatics Engineering over its 2014 data breach. That breach resulted in a settlement of $900,000.

Follow Us

Share this article on:

Coffey Health System has agreed to a $250,000 settlement with the U.S. Department of Justice to resolve alleged violations of the False Claims and HITECH Acts.

The Kansas-based health system attested to having met HITECH Act risk analysis requirements during the 2012 and 2013 reporting period in claims to Medicare and Medicaid under the EHR Incentive Program.

One of the main aims of the HITECH Act was to encourage healthcare organizations to adopt electronic health records. Under the then named Meaningful Use Program, healthcare organizations were required to demonstrate meaningful use of EHRs in order to receive incentive payments. In addition to demonstrating meaningful use of EHRs, healthcare organizations were also required to meet certain requirements related to EHR technology and address the privacy and security risks associated with EHRs.

In 2016, Coffey Health System’s former CIO, Bashar Awad, and its former compliance officer, Cynthia McKerrigan, filed a lawsuit in federal court in Kansas against their former employer alleging violations of the False Claims Act.

Both alleged Coffey Health System had falsely claimed it had conducted risk analyses in order to receive incentive payments and was aware that those claims were false when they were submitted. As a result of the false claims, Coffey Health System received payments of $3 million under the Meaningful Use program which it did not qualify for.

Awad found no documentation that demonstrated risk analyses had been performed and had personally conducted some basic tests on network security and made an alarming discovery: The health system shared a firewall with Coffey County municipalities. That security failure allowed anyone to login to its system and see patient records from locations protected by the same firewall, including schools and libraries, by using its IP address and logging in. Any attempt to do so required no username or password – A major security failure and violation of the HIPAA Security Rule.

In 2014, Awad arranged for a third-party firm to conduct a risk analysis for the 2014 attestation. The risk analysis revealed several security issues including 5 critical vulnerabilities that had been allowed to persist unchecked. While some attempts were made to correct the issues identified in the risk analysis, Awad was not provided with sufficient resources to ensure those vulnerabilities were properly addressed. He claimed that few of the identified vulnerabilities had been corrected.

When the time came to submit the 2014 attestation, Awad refused to do so as several vulnerabilities had not been addressed. As a result of the failure to support the attestation, Awad was terminated. Awad and McKerrigan then sued Coffey Health System.

Under the whistleblower provisions of the False Claims Act, individuals can sue organizations on behalf of the government and receive a share of any settlement. Awad and McKerrigan will share $50,000 of the $250,000 settlement.

Coffey Health System settled the case with no admission of liability.

Follow Us

Share this article on:

The Supreme Court in Vermont has ruled that a patient can sue a hospital and one of its employees for a privacy violation, despite Vermont law and HIPAA not having a private cause of action for privacy violations.

The lawsuit alleges negligence over the disclosure of personal information that was obtained while the patient was being treated in the emergency room. The woman had visited the ER room to receive treatment for a laceration on her arm. The ER nurse who provided care to the patient notified law enforcement that the patient was intoxicated, had driven to the hospital, and intended to drive home after receiving treatment.

The nurse had detected an odor of alcohol on the patient’s breath. Using an alco-sensor, the nurse determined the patient had blood alcohol content of 0.215. In Vermont, that blood alcohol level is more than two and a half times the legal limit for driving. A police officer in the lobby of the hospital was notified and the patient was arrested, although charges were later dropped.

The women subsequently sued the hospital and the employee for violating her privacy by disclosing her health information to law enforcement.

The HIPAA Privacy Rule limits uses and disclosures of protected health information to treatment, payment, and healthcare operations, but there are exceptions. One of those exceptions is when a disclosure is made when there is a perceived serious threat to health or safety. The Privacy Rule permits such a disclosure if the disclosure is made to a person who could prevent or lessen a threat to either to the patient or the public.

Under the circumstances, the disclosure was reasonable and appropriate, which is what the Supreme Court ultimately concluded, affirming the Superior Court’s judgement. The disclosure was determined to have been made in order to mitigate an imminent threat to both the patient and the public. The Court rules “no reasonable factfinder could determine the disclosure was for any other purpose.” The plaintiff failed to prove that the disclosure had been made for any other purpose, such as in order for the patient to be arrested and charged.

The ruling is perfectly understandable; however, what is atypical is the case was given standing when state and HIPAA laws do not include a private cause of action. Patients do not have the right to sue their providers over violations of HIPAA laws and laws in Vermont also do not give patients that right. The case was ruled to have standing under a common-law private right of action for damages.

While the lawsuit was not successful, it could be cited in other lawsuits filed by patients who allege their privacy has been violated by their healthcare providers.

Follow Us