More Patients Are Suing Hospitals for Data Breaches
By Stacey Kusterbeck
If an ED patient’s information is compromised in a data breach, that person is at higher risk of identity theft for years to come. “The ED is vulnerable to cybersecurity attacks, given the types of sensitive personal data that are collected and stored — names, birthdates, Social Security numbers, medical histories, and medical insurance information,” says Samantha E. Holbrook, Esq., a partner with Shub & Johns LLC specializing in class-action litigation.
Attorneys are filing more class-action lawsuits against hospitals over data breaches.1-3 “We are seeing a lot of hospitals falling far short of security benchmarks accepted as best practices in the industry, which is why there is an increase in data breach litigation across the board,” Holbrook reports.
By accessing patient information stored in ED systems, cybercriminals can apply for medical benefits, submit false medical claims for reimbursement, and sell the data on the black market.
“Many of the patients we see bringing these lawsuits have already experienced some type of fraud or misuse,” Holbrook adds.
Plaintiff attorneys argue medical providers should be held accountable for ignoring security risks. The lawsuits allege hospitals are taking a lax approach to protecting highly sensitive and confidential patient information. Holbrook says there are three factors that could affect the outcome of these suits: the types of information compromised in the breach, allegations of injuries, and similar data breach jurisprudence in a given jurisdiction.
When Social Security numbers and personal medical information are compromised, these are considered stronger cases. This is due to the value of these data on the dark web, and the various forms of identity theft that can occur when the information lands in the wrong hands, according to Holbrook.
The healthcare field generally, and EDs particularly, are “high-value targets because of the nature of the data they hold,” says Rob D’Ovidio, PhD, associate professor of criminology and justice studies at Drexel University.
“We are seeing an uptick in identity theft in healthcare. Healthcare protected health information [PHI] is very valuable in the marketplace, and people are brokering and selling this information,” D’Ovidio observes.
While a breach of credit card data is a financial concern for consumers, medical information is a violation of privacy. “That’s what’s driving consumers jumping on these lawsuits. It elevates the invasive nature of the incidents to a level we are not seeing with financial PHI,” D’Ovidio notes.
The class-action lawsuits allege the hospital was negligent regarding data protection. D’Ovidio says the same issues also are true for EDs. “What we are finding is that these lawsuits are really connected to ‘You didn’t do this, and government regulations say that these are best practices.’ When you didn’t engage in the best practices, that’s where you’re negligent, and that’s where the payout comes in,” D’Ovidio explains.
The uptick in class-action lawsuits also is driven by more hospitals and health systems buying insurance policies that cover data breaches. Hospitals would need a policy that specifically covers a breach or computer security incidents, or a rider that amends an existing policy so that breaches and/or computer security incidents are covered.
“Once the insurance company gets involved, the money is there to pay out the suits. It is not surprising to see more attorneys pushing this,” D’Ovidio says.
Every state requires organizations to report data breaches. Hospitals can be held liable for failing to report. “But we are not seeing lawsuits involving breach notification,” D’Ovidio says.
Instead, hospitals are sued for failing to adhere to best practices for securing data. For the ED, there are unique risks in this regard. “Because it’s such a fast-paced, transient dynamic, there are physical security issues,” D’Ovidio says.
Lawsuits might allege the ED failed to monitor terminals, or that staff failed to log out properly. “Employee training really needs to come into play,” D’Ovidio stresses. “You can’t rely on the technical side to be sure systems are secure.”
Some of the class-action lawsuits allege EDs and hospitals failed to use industry practices and tools that are currently available to secure medical data. “You want to be sure you are doing what other hospitals are doing so nobody can fault you,” D’Ovidio says. “We are still seeing instances of neglect, in terms of keeping up with security. There is a constant need to reassess, to be sure data are protected.”
REFERENCES
1. McCullough E. Class action suit filed against HCA Healthcare over data breach. July 21, 2023. WKRN.
2. Kent S. A NJ hospital suffered a data breach. Now a patient is suing. Feb. 21, 2023. NJ.com.
3. Aponte CI. One Brooklyn Health cyberattack breached patient data, prompts class action suit. April 27, 2023. The City.
Plaintiffs argue medical providers should be held accountable for ignoring security risks. Lawsuits allege hospitals are taking a lax approach to protecting highly sensitive and confidential patient information. Three factors could affect the outcome of these suits: the types of information compromised, allegations of injuries, and similar data breach jurisprudence in a given jurisdiction.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.