An employee’s alleged information theft at a Georgia medical center, a cyber security incident at a Kentucky hospital, and signs of a potential ruling in a pending class-action lawsuit lead this week’s edition of “Into the Breach.”
Employee Charged Following Patient Data Theft
A former employee of South Georgia Medical Center in Valdosta, Georgia, has been charged with felony computer theft and felony computer invasion of privacy following the unauthorized download of electronic protected health information (ePHI) from as many as 41,692 patients.
Security software at the hospital alerted officials on November 12, 2021, that an employee had downloaded data onto a USB drive on the previous day. The accused employee ended her employment with the medical center on November 11, 2021.
The hospital reported the breach to the Department of Health and Human Services’ Office for Civil Rights as required by the HIPAA Breach Notification Rule.
According to the hospital, no data was erased from their systems, and all copied files have been recovered. There have been no reports to date that financial data or Social Security numbers were misused, but complimentary credit monitoring services have been offered to all affected individuals.
Hospital Services Impacted by “Cyber Security Incident”
Taylor Regional Hospital in Campbellsville, Kentucky, is suffering a loss of phones, IT, and other services following what they have termed a “cyber security incident.”
In a statement posted on their website, the hospital reports that many hospital departments and hospital-affiliated clinics have provided alternate phone numbers. Patients have been told to bring all medications with them to appointments, and lab services will require written orders. Longer wait times are expected for services.
No further details regarding the incident have been made available as of press time.
Possible Dismissal Looming in Practicefirst Class-Action Suit
On February 1, 2022, U.S. Magistrate Judge Michael Roemer, Western District of New York, issued a report and recommendation (R&R) to dismiss a would-be class-action lawsuit, Tassmer et al. v. Professional Business Systems, against medical management company Practicefirst. The parties have a deadline of February 22, 2022, to file objections or extensions to the R&R. Any objections will be reviewed by U.S. District Judge John L. Sinatra Jr., who will then issue a ruling accepting or rejecting Judge Roemer’s recommended disposition.
Plaintiffs filed the suit following notification of a December 2020 ransomware attack against Practicefirst that potentially exposed the protected health information of as many as 1.2 million people.
In their complaint, the plaintiffs claimed that, “after receiving notification of the data breach, they spent time reviewing their account statements and credit reports for any indication of actual or attempted identity theft, and that this was valuable time which could have been spent on other activities…”
A ruling last June by the U.S. Supreme Court significantly shifted the way federal courts handle data breach cases. The high court ruled that data breach victims must demonstrate actual injury and prove that the defendant’s conduct caused the damage.
Despite the Plaintiffs’ claim that the breach caused actual injuries, including a diminished PHI value, a violation of their privacy rights, and the possibility of future harm due to the increased risk of identity theft, the judge ruled they did not show, “…that they experienced concrete harm arising from the data breach or a threat of future harm that is actual or imminent.”
If Judge Sinatra adopts the R&R, the U.S. Supreme Court’s June 2021 decision in TransUnion LLC v. Ramirez stands to figure prominently in his decision. In that case, a divided 5-4 Court ruled that the mere risk of future harm, without more, cannot qualify as the concrete harm needed to establish standing in a lawsuit for damages brought in federal court.
Daniel Lebovic, regulatory attorney at Compliancy Group, predicts that the Ramirez case will fundamentally alter how federal courts analyze data breach lawsuits.
“Gone are the days where federal courts would wrestle with the issue of whether a plaintiff was legally “injured” by having been the victim of a data breach, so as to open the federal courthouse door to that plaintiff’s claim for damages,” said Lebovic.
“The Supreme Court’s ruling in Ramirez makes clear that only those data breach claims alleging concrete harm – physical harm, monetary harm, or intangible harms such as reputational harms – will be entertained by federal courts.”
