D.C.-Area Healthcare Group Violated HIPPA Rules in 2023 Data Breach: Class Actions
Not-for-profit healthcare organization MedStar Health failed to encrypt or redact current and former patients’ protected health information (PHI) and personally identifiable information (PII) in a 2023 data breach that occurred between Jan. 25 and Oct. 13, alleged two Tuesday class actions (dockets 1:24-cv-01337 and 1:24-cv-01335) in U.S. District Court for Maryland. The virtually identical complaints were filed by Milberg Coleman attorney Thomas Pacheco.
MedStar announced the breach Friday, saying emails and files associated with three of its employees’ email accounts had been “accessed by an outside party” over the 10-month span, affecting the private information of over 180,000 individuals, the complaint said.
The unencrypted, unredacted private information was compromised due to the Washington, D.C., area health group’s “negligent and/or careless acts and omissions and its utter failure to protect its patients’ sensitive data,” said the complaint. Hackers targeted and obtained Washington, D.C., resident Gwendolyn Riddick's and Baltimore resident David Richter’s private information because of the “value in exploiting and stealing” their and class members’ identities, alleged the complaints. The “present and continuing risk" resulting from the data breach “will remain for their respective lifetimes,” it said.
On March 6, MedStar determined that the plaintiffs’ information was included in the emails and files that were accessed and that it “cannot rule out” that cyberthieves acquired or viewed it, said the complaint, citing the notice letter. Emails and files accessed may have included plaintiffs’ names, mailing addresses, dates of birth, dates of service, provider names and health insurance information, the complaint said.
Under the Health Insurance Portability and Accountability Act (HIPPA), MedStar is required to comply with its privacy and security rule for privacy of individually identifiable health information, said the complaints. That includes protecting electronic forms of medical information to ensure confidentiality of the PHI the covered entity creates, receives or transmits; protecting against “reasonably anticipated threats” to the security of such information; and protecting against “reasonably anticipated uses or disclosures of such information that are not permitted,” it said. Under HIPPA, MedStar is also required to ““review and modify the security measures implemented … as needed to continue provision of reasonable and appropriate protection of electronic protected health information.”
Under the Health Information Technology Act (HITECH), MedStar is obligated to “implement policies and procedures to prevent, detect, contain, and correct security violations, and to protect against uses or disclosures of electronic protected health information that are reasonably anticipated but not permitted by the privacy rules,” the complaint said.
HIPPA rules require MedStar to provide notice of a data breach to affected individuals “without unreasonable delay and in no case later than 60 days following discovery of the breach,” among other requirements, including one to “mitigate any harmful effect” to "the extent practicable,” the complaint said. MedStar “failed to comply with such obligations,” despite being aware of the “significant repercussions that would result from its failure to do so,” it said.
Both plaintiffs suffered a loss of time, interference and inconvenience and will spend considerable time on issues related to the data breach, alleged the complaints. Riddick and Richter suffered “imminent and impending injury arising from the substantially increased risk of fraud, identity theft, and misuse” resulting from their PHI and PII “being placed in the hands of criminals,” the complaint said.
In addition to statutory violations, the plaintiffs assert claims of negligence, breach of implied contract and fiduciary duty, and unjust enrichment. They seek orders enjoining the defendant from engaging in the wrongful conduct described; requiring it to encrypt all data collected through the course of business and to delete and destroy the PII of plaintiffs and class members; and to implement a comprehensive information security program. The plaintiffs request actual, compensatory, nominal and punitive damages; attorneys’ fees and costs; and pre- and post-judgment interest.