In addition to the negative publicity associated with being included on the federal tally of major health information breaches, some organizations are experiencing yet another impact of breaches: class action lawsuits.

The latest organization to be sued for a major breach is Sutter Health, which faces two class action lawsuits in the wake of a breach that affected more than 4.2 million patients. The breach incident stemmed from an unencrypted desktop computer that was stolen from an administrative office in October.

“The recent surge in class action lawsuits is yet another compelling reason for organizations to make necessary investments in privacy and security safeguards,” says Adam Greene, a partner at the Washington law firm Davis Wright Tremaine who formerly worked at the Department of Health and Human Services’ Office for Civil Rights, which enforces HIPAA. “Whether or not a class action suit is successful, defending such a suit represents a significant drain of time and money and ensures unwelcome headlines. Additionally, if one of these suits succeeded in court, the damages could be staggering and the precedent could have a huge impact across the industry.”

Security specialist Tom Walsh, president of Tom Walsh Consulting, notes: “I tell my clients, ‘Every time you have to do a breach notification letter to a patient or their family, you should expect at least one or more recipient will respond by hiring a lawyer to try and get some money out of the breach.'”

Walsh says he believes that the number of people actually harmed by breaches is “extremely low as compare to the number of breaches reported. Therefore, there may not be any real supporting evidence to justify a class action lawsuit. But since when has that ever stopped anyone?”

Sutter Allegations

The two lawsuits against Sutter Health allege the organization violated state law by failing to adequately safeguard its computers and data and that it did not notify those affected in a timely way as required under state law.

Officials at Sutter declined to comment on the lawsuits. But a spokesman noted Sutter was in the process of encrypting its computers when the theft occurred.

“Regarding notification in general, we had a dedicated team of people working to determine exactly what was on the computer, and that took some time,” a spokesman said. “As soon as we confirmed exactly what was on the computer and who was affected, we began the process of notifying patients.”

Breach Tally Update

The Sutter Health incident has not yet been added to the official tally of major breaches complied by the HHS Office for Civil Rights. The list now includes 372 incidents affecting about 18 million individuals. It tracks incidents that have occurred since September 2009 when the interim final HIPAA breach notification ruletook effect.

In the past month, about 27 new incidents affecting a total of more than 6 million have been added to the list. OCR adds incidents after it confirms details in an investigation.

Roughly 56 percent of all incidents on the federal breach tally have involved the theft or loss of electronic media or devices. About 22 percent have involved business associates.

Other Breach Lawsuits

The largest recent incident added to the list is a breach affecting enrollees in the TRICARE military health program, which affected 4.9 million. A $4.9 billion class action lawsuithas been filed in that case.

Stanford Hospital and Clinics also faces a class action lawsuit in conjunction with a recent breach involving a business associate’s subcontractor inappropriately posting information about 20,000 patients on a website (see: Stanford Breach an Unusual Tale).

The law firm that filed the suit against Stanford also filed a class action lawsuit related to a breach involving health insurer Health Netand IBM that affected 1.9 million.

And health insurer Wellpointhas faced multiple lawsuits regarding a breach incident.

Breach Prevention

To help prevent breaches, and potential lawsuits, Greene advises healthcare organizations to focus resources “on safeguarding files and databases where large volumes of patient information are stored, including backup tapes, and taking the steps necessary to feel comfortable that business associates are protecting such information.”

Walsh advises organizations to take three critical steps:

  • Encrypt data at rest, especially laptops, tablets, smart phones and portable media.
  • Increase education and awareness training. “Many breaches are unintentionally caused by carelessness or the actions of uninformed workers,” he says. “Providing less than 10 minutes of education on information security at new hire and annually is just not cutting it. Workers need constant periodic reminders.”
  • Carefully monitor business associates. “A signed business associate agreement is probably not enough,” Walsh says. “Obtain reasonable assurances through a checklist of security questions, require some type of certification or have an independent audit conducted to validate their security safeguards and controls. Build it into their contract.”

[contact-form] [contact-field label=”Name” type=”name” required=”true” /] [contact-field label=”Email” type=”email” required=”true” /] [contact-field label=”Telephone Number” type=”text” required=”true” /] [contact-field label=”How can we help you?” type=”textarea” required=”true” /] [/contact-form]