BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Class Sues Hospital for Security Leak

From: Erica Absetz <erica () riskbasedsecurity com>
Date: Fri, 26 Apr 2013 14:56:21 -0400
http://www.courthousenews.com/2013/04/26/57073.htm

 BALLSTON SPA, N.Y. (CN) - An upstate New York hospital exposed
patients to unauthorized snooping when doctors' notes became
accessible through a vendor's computer server, a class action claims
in state court.
     Lead plaintiffs Dara Halliday and Teresa Green discovered the
breach when they typed their names into Google's search engine and saw
links to confidential health information, they claim in Saratoga
County Supreme Court.
     They say the information included notes on their treatment,
medications, physical exams and laboratory reports from visits to the
family health centers or physician practices run by Glens Falls
Hospital. The records are stored electronically.
     The 400-bed hospital, which bills itself as the largest between
Albany and Montreal, operates more than two dozen health centers and
physician practices in six counties surrounding Glens Falls.
     A notice posted on the hospital's website says it learned of the
security breach in mid-March and began an investigation. A computer
forensics expert discovered that a server used by Portal Healthcare
Solutions, a third-party vendor, was left unsecured between Nov. 2 and
March 14.
     According to the notice, transcribed doctors' notes containing
medical information on 2,360 patients could have been accessed during
the four months. The reports did not include Social Security numbers,
financial account information or home addresses, according to the
hospital.
     "We have terminated Portal's services and the vendor no longer
does business with our hospital," states the notice, which included a
toll-free telephone number for inquiries about the breach.
     The hospital and Portal, dba Portal Ascend Group, are named as
defendants in the class action. Also named is Carpathia Hosting.
     Both Portal and Carpathia are based in suburban Washington, D.C.
Portal, which offers clinical documentation services for health care
providers, is a client of Carpathia, which provides electronic medical
record hosting services. Carpathia maintained the hospital's records
on a server in Ashburn, Va., according to the complaint.
     The class claims the hospital alerted the plaintiffs to the
breach in an April 3 letter that indicated it could not determine
whether any of the women's medical information had actually been
viewed.
     An online blog cited by the complaint, PHIprivacy.net, reported
that Portal's CEO said firewall settings had left a server vulnerable
to unrestricted access but that an examination of the logs showed no
access or downloads.
     The complaint calls those statements "false," and claims the
defendants "concealed from patients the true scope and nature of the
data breach that compromised and/or disclosed their medical records."
     It accuses the defendants of gross negligence, for failing to
safeguard and monitor the electronic files.
     "As a direct and proximate result of defendants' negligence,
plaintiffs have been injured, and said injury was foreseeable," the
complaint states.
     The plaintiffs seek monetary damages and expenses "for credit and
identity-theft monitoring and insurance, periodic credit reports,
anxiety, emotional distress, loss of privacy and other ordinary,
incidental and consequential damages as would be anticipated to arise
under the circumstances."
     They also seek punitive damages, claiming "(t)he acts of
defendants have been intentional, willful, wanton, illegal and done
with conscious and deliberate disregard for the health, safety and
rights of plaintiffs."
     They also seek an injunction to prevent destruction of any
electronic files related to the breach, including the server logs.
They want an independent computer forensics auditor to assess the
breach, and defendants ordered to retrieve any patient records that
were accessed.
     The plaintiffs are represented by Donald Boyajian and James
Peluso of Dreyer Boyajian in Albany.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.
Previous By Date Next
Previous By Thread Next

Current thread: