Costly End to 17-Year-Old Breach Case

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/costly-end-to-17-year-old-breach-case-a-7506

A settlement finalized this past week in a class action lawsuit filed in
1997 against Tenet Healthcare for a privacy breach involving thousands of
patients' paper records offers important lessons for healthcare providers
today.

One key takeaway from the settlement is that while most healthcare
organizations have been moving to safeguard electronic health records and
other digital platforms, millions of paper records remain in their
institutions that need proper safeguarding. Those paper records contain
patients' protected health information, including those from closed
facilities and in storage.

Patient electronic data stored on old computer equipment also need to be
properly disposed by healthcare providers or their business associates, or
else risk breaches that potentially can turn into costly and protracted
lawsuits or enforcement actions by government regulators.

"This case is a good reminder that while people focus on electronic
information, paper records still need to be protected, as does digitized
information from closed operations," says Elizabeth Hodge, a compliance
attorney for the Akerman law firm.

Case Details

The $32.5 million settlement between the Dallas-based hospital chain and
plaintiffs is the end of a class-action suit that was filed in a New
Orleans court 1997. The suit focused on a breach that occurred in April
1996 when boxes of medical and mental health records for more than 5,600
patients were found discarded in the parking lot of a Louisiana psychiatric
center. That facility, which at the time had recently been shut down, was
owned by Tenet Healthcare. The documents contained patient names,
diagnoses, medication, treatment and financial data.

The suit charged that the breach, which occurred before theHIPAA privacy
rule took effect in 2001, was an invasion of the plaintiffs' privacy.

A lawyer representing the plaintiffs, Alex Ducros of the Orrill, Cordell
and Beary law firm, issued a statement saying his clients were satisfied
with the terms of the settlement "that provides all class members who have
suffered harm the opportunity to recover fair compensation has been
reached."

The settlement established a fund from which each of the 5,649 plaintiffs
will receive $1,000. The remainder of the settlement money will cover
lawyer fees and administrative costs accumulated over 17 years.

Tenet, in a statement, says it agreed to resolve the matter related to a
hospital it had sold nearly two decades ago. "The matter has been litigated
through the Louisiana state court system for 17 years," the Tenet statement
says. "While we do not agree that the action was suitable for class
treatment, we made the business decision to bring this matter to
resolution."

Lengthy Case

The case against Tenet stretched for nearly two decades, in large part, to
multiple appeals that were filed during various stages of the litigation.
"This case is extreme in the length of time it took, but it shows how
complex breach suits can be," Hodge says.

Privacy attorney Adam Green says the case demonstrates some of the
challenges presented by class action suits regarding information breaches.
"Even though there is minimal case law that actually finds in favor of
plaintiffs with respect to information security breaches, they can still
lead to very costly settlements and time-consuming litigation that can drag
on for years - or, in this case, decades," says Green of the Davis Wright
Tremaine law firm. "I do think this case is very unusual, though, with
respect to how long the litigation lasted. Other data breach class actions
that settled have done so far sooner, such as five years after the
incident."

Among recent class action lawsuits was a $3 million settlement in October
2013 between AvMed, a health plan company, and plaintiffs in a case
stemming from a 2009 data breach that affected 1.2 million individuals (see
Settlement In AvMed Breach Suit). That case involved two stolen unencrypted
laptops containing AvMed health plan member names, addresses, Social
Security numbers and medical information.

Beware of Regulators

While the Tenet breach involving the improperly discarded paper records
happened before the HIPAA privacy rule became law, those kinds of incidents
can surely draw the attention of federal regulators for expensive
enforcement actions today. "The Office for Civil Rights has been picking
cases like these to serve as a teaching tool," Hodge says of the agency
within the Department of Health and Human Services that enforces HIPAA.

In June, for example, OCR slapped Parkview Health System with a $800,000
HIPAA settlement as a result of an incident in June 2009 involving the
paper medical records of 5,000 to 8,000 patients. Parkview, a
not-for-profit organization serving northeast Indiana and northwest Ohio,
employees had left 71 cardboard boxes of patient records at the end of a
driveway of a physician's home, within 20 feet of the public road (see
$800,000 Penalty For Paper Records Breach).

Common Problem

Another important lesson coming from the Tenet case is that it's not just
the healthcare sector that's dealing with a need to protect sensitive
information that's on paper. "Nearly a third of breaches involve
paper...and this is a problem across many industries," says attorney Beth
Diamond, global claims team leader at Beazley, a provider of cyber
insurance says. "This case is a reminder of the need to mitigate risk,
including having [data] destruction policies, and training workers."

Diamond says the Tenet case also proves "you don't have to have a breach
affecting a million people for these cases to turn into tricky litigation
that is costly to defend and resolve."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!