Author Archives: Cori Ilardi

St. Joseph Health Reaches $7.5M Settlement Agreement in Health Care Data Breach

St. Joseph Health System (SJHS) has reached a settlement in a class action lawsuit for a 2012 health care data breach. SJHS will split a total settlement of $7.5 million, paying class members $242 each.

In addition to the $7.5 million settlement, $3 million has been set aside for patients who suffered from identity theft. These patients may apply for up to $25,000 each. Court documents show that SJHS has invested money in notifying patients of the breach, complying with federal security regulations, and offering free credit monitoring for affected individuals. The health system will also be required to implement new and additional security measures.

The data breach reportedly occurred between 2011 and 2012. It was discovered when Danna Graewingholt, one of the class members, found her protected health information (PHI) was available online via search engine.

The hospital uncovered the breach after Graewingholt notified SJHS’s legal department. Potentially breached information included patients’ names, demographic information, advance directive status, medication allergies, smoking status, blood pressure, diagnoses, lab results, and medical data such as body mass index.

There were potentially 31,802 affected individuals spanning a number of SJHS’s facilities, including The Auxiliary of Mission Hospital Laguna Beach, Saint Joseph Hospital of Orange,

Mission Hospital Regional Medical Center, Petaluma Valley Hospital Auxiliary, Redwood Memorial Hospital of Fortuna, Santa Rosa Memorial Hospital, The Auxiliary of Mission Hospital Mission Viejo, Saint Joseph Hospital of Eureka, Queen of the Valley Medical Center, and St. Jude Hospital.

A group of potentially affected victims filed a lawsuit against the health system. Court documents state that the lawsuit alleged wrongdoing on four accounts: violation of the Confidentiality of Medical Information Act (CMIA), negligence, violation of the California Unfair Competition Law (UCL), and money had and received.

These kinds of class action lawsuits are common in health care data breaches. Last year, patients filed a class action lawsuit against the Office of Personnel Management (OPM), claiming OPM did not adequately protect PHI and did not meet Federal Information Security Management Act guidelines.

UCLA Health also recently had a health care data breach that potentially affected as many as 4.5 million patients, and is facing a class action lawsuit for failing to protect PHI. The class members in this case also allege that UCLA health was negligent in its efforts to notify those potentially affected by the breach in a timely manner.

These cases stress the importance of adequate security measures to protect PHI. However, if data breaches do occur, HIPAA regulation requires that entities notify potentially affected individuals in a timely manner, with stricter reporting requirements for ‘meaningful breaches’ of 500 individuals or more.

Physical Therapy Provider Settles with OCR for $25,000 in PHI Breach

On February 16, 2016, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced it had reached a settlement with Complete P.T., Pool & Land Physical Therapy, Inc. (CPT) after the organization exposed the protected health information (PHI) of a number of its patients. CPT, a California-based physical therapy practice, posted patient testimonials on its website and included patients’ full names and photographs without first acquiring the mandated HIPAA-compliant authorization from their patients.

After an investigation that began in 2012, OCR found that CPT failed to reasonably safeguard PHI, that it disclosed PHI without HIPAA-compliant authorization, and that it failed to create and follow policies and procedures that would ensure compliance with HIPAA authorization requirements.

The settlement requires that CPT admit civil liability for this violation–which is particularly uncharacteristic given that previous OCR agreements have typically included provisions that reject liability admissions. The settlement also requires that CPT pay $25,000 and begin a three-year corrective action plan (CAP) with OCR, which will require CPT to take action to ensure that it’s fully compliant with the HIPAA Privacy Rule in the future. The CAP also requires that CPT fully train its workforce on its policies and procedures with proper, documented attestation, and that CPT remove all unauthorized testimonials from its website.

In addition, CPT will need to submit a report of its compliance efforts annually to OCR, and will face stricter reporting requirements going forward.

This settlement is just another example of the stricter enforcement and reporting requirements that OCR is pursuing in the case of PHI breaches. With the growing importance of maintaining a robust online presence, health care organizations need to begin exercising extreme caution when disclosing personally identifiable information (PII) and PHI such as full names and photos on their websites or in promotional materials. Cases like the CPT breach illustrate just how avoidable OCR fines and litigation can be if the proper steps are taken to ensure that PHI is kept safe and secure.