The Blackbaud breach is infamous for the sheer amount of organizations the incident affected. Among hundreds of affected organizations were several in the healthcare industry, compromising the protected health information of more than 11 million patients across the country. One such victim has filed a lawsuit against Rady Children’s Hospital, one of the breached organizations, under California healthcare law. More details on the lawsuit are discussed.
What is California Healthcare Law?
California healthcare law provides stricter requirements for healthcare providers operating in, or treating patients residing in, California. As a general rule, when a State law imposes stricter regulations than a Federal law, entities must comply with the stricter State law.Â
Under HIPAA, patients do not have a private right of action to file a lawsuit against a healthcare organization that violates their rights, however, many States allow patients to do so. California is one such state.
The California Confidentiality of Medical Information Act (CMIA), patients have the right to bring action against any entity or individual that releases the patient’s information negligently. This allows patients to seek monetary damages from entities that compromise their PHI. However, under HIPAA patients do not have the right to seek compensation from an organization that violates their HIPAA rights. The CMIA also applies to non-medical organizations whereas HIPAA only applies to healthcare organizations (covered entities and business associates).
In addition, the California Consumer Privacy Act (CCPA) applies to not only medical information, but personal information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked to, directly or indirectly, a particular consumer or household. The CCPA provides stricter regulations for reporting breaches, and gives individuals more rights in regards to their personal information, than HIPAA.
What Does the Lawsuit Allege?
The Blackbaud breach admittedly compromised the protected health information (PHI) of 19,800 Rady Children’s Hospital patients. The guardian of one of the patients affected by the breach has filed a lawsuit against both Rady and Blackbaud. The lawsuit alleges that the Hospital violated California healthcare law, particularly the California Confidentiality of Medical Information Act and California Consumer Privacy Act, by failing to reasonably protect PHI from unauthorized disclosure.
The lawsuit also makes claims of invasion of privacy, negligence, and breach of implied contract. The lawsuit seeks restitution, exemplary damages, injunctive relief, and an admission of guilt on Rady’s part.
According to the lawsuit, “[Rady] had the resources necessary to protect and preserve confidentiality of electronic medical information of [patients] in its possession, but neglected to adequately implement data security measures according to its representations. Additionally, the risk of vulnerabilities in its computer and data systems of being exploited by an unauthorized third party trying to steal [patients’] medical information was foreseeable and/or known to [Rady].”
These claims are evident by a previous breach, occurring in January 2020 that lasted six months, in which the PHI of 20,000 patients was exposed. Had Rady altered its security policies following the first breach, it is likely that they would not have fallen victim to the second.
