A class-action lawsuit stemming from a February 2023 healthcare data breach in Pennsylvania further illustrates the need for an effective HIPAA compliance strategy, including data security and controls.

The IT website The Register reported that medical records of at least two breast cancer patients containing above-the-waist nude photos were part of 75,000 patient records stolen by the BlackCat malware group.

After Lehigh Valley Health Network (LVHN) refused to pay the ransomware gang, BlackCat began leaking patient info, including photos of the two cancer patients.

In a lawsuit filed on March 13, 2023, one of the patients using the pseudonym “Jane Doe” to protect her identity, detailed how she discovered the breach. One notable allegation claims that when notifying Doe of the incident, the LVHN VP of Compliance “…offered plaintiff an apology, and with a chuckle, two years of credit monitoring.”

The lawsuit further alleges that in addition to the photos, the ransomware gang likely stole Doe’s physical and email addresses, date of birth, Social Security number, health insurance provider, medical diagnosis and treatment information, and lab results in the breach.

Attorneys representing Doe say they expect the number of patients affected by the breach to be in the “hundreds if not thousands” and noted that in 2021 LVHN also reported the theft of patients’ protected health information from a business associate.

Healthcare Data Breaches and Lawsuits

While the details of this case are atypical, it highlights another source of liability for healthcare organizations and their business associates from lawsuits related to data breaches.

Under HIPAA rules and regulations, patients cannot sue covered entities or their business associates for damages because of HIPAA violations. Federal enforcement of civil and criminal HIPAA violations is the responsibility of the Health and Human Services Office for Civil Rights and the U.S. Attorney’s Office.

Rated #1 on G2

“Compliancy Group makes a highly complex process easy to understand.”

G2 Easiest to Do Business With

But Compliancy Group’s Senior Compliance Attorney Dan Lebovic notes that there are other pathways for injured parties to pursue.

“HIPAA requires hospitals to have policies and procedures in place to keep patient information confidential and secure, but most states have privacy laws that allow victims of data breaches to seek compensatory damages if they are provable,” said Lebovic. 

Such a plaintiff may be able to file suit under state law negligence, breach of implied contract, or invasion of privacy theories. Indeed, the plaintiffs who claim they were victims of the LVHN breach have pled exactly these claims in their lawsuit, along with a claim under the federal FTC Act for the hospital’s alleged unfair act of failing to safeguard their health information.”

Attorneys representing the victims of data breaches are aggressively pursuing damages in data breach lawsuits. For example, Regal Medical Group, Inc., of California, reported a breach affecting at least 3,300,638 patients on February 1, 2023. A Google search for details of the Regal breach also includes results for plaintiffs’ law firms seeking injured parties to join class-action lawsuits.

Lebovic added that the nature of the alleged facts and the LVHN’s involvement in another recent breach makes this especially troubling for a healthcare group that oversees 13 hospitals, 28 health centers, and dozens of other physicians’ clinics, pharmacies, rehab centers, imaging, and lab services. 

“The plaintiffs’ claims’ – which allege breach of financial data and sensitive medical data – are the type of injury for which courts are empowered to award damages. It’s hardly a laughing matter,” said Lebovic.

The Register: Cancer patient sues hospital after ransomware gang leaks her nude medical photos

Prevent HIPAA Breaches

Don’t fall victim to breaches. Protect your business by becoming compliant today!