HIPAA isn’t your only compliance worry when it comes to patients’ health information. Plaintiffs are filing lawsuits — and winning settlements — against health care providers for data breaches under other federal and state laws.
After the billing vouchers of more than 13,000 patients went missing from an off-site storage vendor, plaintiffs filed a class action lawsuit against the University of Miami Health System. The vouchers included patients’ names, dates of birth, Social Security numbers, physician names, insurance company names, medical record numbers, and procedure and diagnostic codes.
UMHS has requested that a Florida judge approve a proposed settlement in the class action lawsuit, according to attorney Linn Foster Freedman in a post for law firm Nixon Peabody. Under the settlement agreement, UMHS will pay $100,000 in individual claims, $90,000 in attorneys’ fees, and $1,500 to the named plaintiff. UMHS would also conduct risk assessments and remediation.
What’s especially curious about this lawsuit is that the plaintiff filed the action under the Fair Credit Reporting Act (FCRA) and Florida state law, alleging that she suffered financial harm because money was withdrawn from her bank account following the breach, Freedman states. “This is the first time we have seen a settlement by a health system for a data breach under the FCRA, nor do we see how the FCRA can be relevant to the facts of this case.”
Moreover, patients’ financial information does not appear to have been included in the breached data from the billing vouchers.
Warning: “This settlement is an unfortunate precedent on two levels — first, it appears to be a settlement under the FCRA, which is a first to our knowledge,” Freedman states. “And second, it is a settlement of a case where there does not appear to be any relationship between the data breach and the alleged harm and where the attorneys received almost as much as the settlement on the merits.”
Bottom line: “Opening these doors in the data breach arena is discouraging,” Freedman concludes.