A Pennsylvania addiction treatment center is the target of a class action lawsuit alleging that it not only failed to protect patients’ personal health information, but also that its “negligence and deceptive practices” resulted in the inappropriate access of information on nearly 8,000 people.
The case is one of a growing number of class action lawsuits filed by those whose personal health information (PHI) has been stolen in a data breach. It is estimated that from 2005 to 2019, the total number of individuals affected by healthcare data breaches was 249.09 million.
The Pennsylvania complaint was filed by Kris Reese and Todd Saylor on behalf of themselves and others in the Philadelphia County Court of Common Pleas against Pennsylvania Adult & Teen Challenge (PAATC), a faith-based addiction treatment center.
It alleges that PAACT discovered that an unauthorized person had gained access to its computer systems in late July 2020, stealing the personal health information from approximately 7,771 former and current patients. That information included names, Social Security numbers, driver’s license numbers, bank account and credit card information, as well as diagnosis and treatment information, provider and other medical information.
Although the treatment center launched its own investigation in December 2020, the lawsuit alleges that it did not start notifying victims until March 2021 – nearly 8 months after the breach was discovered.
“At best, PAATC should have known that data breach’s victims deserved prompt and efficient notice of the data breach in order for those victims to start mitigating the effects of PHI misuse. At worst, PAATC, upon information or belief, knew the severity of the data breach but chose to ignore and downplay the size and scope of the data breach by delaying its disclosure to victims,” the complaint states.
It’s alleged in the complaint that PAATC failed to adequately train its employees on even the basic cybersecurity protocols, including:
- Effective password management and encryption protocols, including, but not limited to, the use of multi-factor authentication for all users.
- Locking, encrypting and limiting access to computers and files containing sensitive information.
- Implementing guidelines for maintaining and communicating sensitive data.
- Protecting sensitive patient information, including personal and financial information, by implementing protocols on how to request and respond to requests for the transfer of such information and how to securely send such information through a secure file transfer system to only known recipients.
- Providing focused cybersecurity awareness training programs for employees.
The complaint levels claims of negligence, breach of an implied contract, unjust enrichment, violation of the Pennsylvania Unfair Trade Practices and Consumer Protection Law and Violation of the Pennsylvania Breach of Personal Information Notification Act.
A study published in May 2020 titled Healthcare Data Breaches: Insights and Implications notes that while electronic health data collection has helped facilitate patient care, such information has become a “key source of privacy breaches.”
As the number of healthcare data breaches continues to rise, we can expect to see a concomitant increase in the number of lawsuits. Providers would be well advised to make sure that they are taking every step necessary to ensure that patients’ information is protected and that employees are educated in best practices.
The Health Law Offices of Anthony C. Vitale can assist clients with compliance with HIPAA’s Privacy and Security rules and regulations. For information call 305-358-4500 or email firstname.lastname@example.org