Stanford University Hospital recently reported that its patients’ unencrypted protected health information (PHI) was compromised when a laptop was stolen from the hospital. This should have healthcare organizations evaluating and enhancing efforts to secure patient information. These incidents can form the basis for class action lawsuits, even though the Health Insurance Portability and Accountability Act of 1996 (HIPAA) does not create a private right of action for violation. Indeed, in 2011 Stanford was sued in a putative class action for $20 million in connection with an alleged data security breach.
Healthcare IT News reported on June 13, 2013, that Stanford University’s Lucile Packard Children’s Hospital is notifying nearly 13,000 patients that their health information was compromised as the result of the theft of a hospital laptop. The laptop reportedly contained patient names, ages, medical record numbers, surgical procedures, names of involved doctors and phone numbers. This is the fifth major HIPAA data breach at a Stanford facility since 2010.
In January 2013, Stanford notified 57,000 patients of a HIPAA breach after an unencrypted laptop containing patient medical information was stolen from a physician’s car. Last year, Stanford notified 2,500 patients of the same type of problem when an unencrypted computer was stolen from a doctor’s office. In 2010, an employee stole a computer with 500 patients’ confidential information; Stanford was fined for allegedly reporting that outside of a state-mandated five-day time frame. Also in 2010, private information for 20,000 Stanford patients was posted to a student website, which resulted in a class action lawsuit seeking $20 million.
Patients and insureds who believe their PHI has been compromised are suing health providers, insurers and other organizations using various theories, including breach of contract and negligence. For example in federal court in Miami, individuals have sued an HMO claiming that their PHI was compromised when two laptops were stolen. That suit, brought as a putative class action, has been pending since 2010. The case involves claims of breach of contract, breach of implied contract, breach of implied covenants, negligence, negligence per se, breach of fiduciary duty and unjust enrichment.
As previously reported in the Akerman Healthcare Rx Blog, a patient filed a class action suit in federal court in Orlando against a hospital that employed two individuals who wrongfully accessed confidential patient information in order to sell it. The patient claims the hospital failed to implement proper safeguards required by HIPAA and has sued on behalf of an alleged class for breach of contract, breach of implied contract, unjust enrichment and breach of fiduciary duty.
Because the theft of PHI and equipment containing PHI is a common source of HIPAA violations, healthcare providers, insurers/HMOs and other organizations in possession of PHI must take appropriate security measures to comply with HIPAA and to reduce the risk of class action lawsuits. This includes completing a risk analysis, developing a written policy and training employees. These entities also should implement device and media controls, such as keeping computers, laptops and other equipment in secured areas, encrypting equipment, and placing tracking on equipment that contains or can access confidential information. Healthcare providers and health insurers are on notice that in addition to facing enforcement actions by the government, they are potential defendants in class action suits if they fail to appropriately secure and protect confidential patient information. Finally, if PHI has been compromised, the organization should consider providing identity theft protection to all individuals whose may have been affected. Regulatory enforcement agencies may require that the entity offer such protection to these individuals, and preemptively offering it may allow the organization to structure such protection on terms that are more favorable.