Health Data Theft Case Prompts Lawsuit

[Erica Absetz <erica () riskbasedsecurity com>]

Adventist Health System faces a class action lawsuit seeking damages
for failure to safeguard the HIPAA-protected information of 763,000
patients at several of its hospitals in Florida.

At the heart of the lawsuit is a breach that involved a former
emergency department worker of Florida Hospital Celebration. Over a
two-year period from 2009 to 2011, the worker improperly accessed the
electronic records of more than 763,000 patients treated at several
Florida Hospital locations and sold personal information on about
12,000 patients to a co-conspirator, law enforcement officials say.
That information was used to solicit legal and chiropractic services
for patients involved in motor vehicle accidents, according to law
enforcement officials (see: Prison Time for Health Data Theft).

The class action lawsuit seeks unspecified damages for individuals
whose sensitive information was inappropriately accessed. It also asks
the court to order Adventist to protect all data collected in
compliance with HIPAA and industry standards.

Florida Hospital Celebration is one of 37 hospitals in the Adventist network.

Selling Data For Profit

The former hospital worker, Dale Munroe II, pleaded guilty and was
sentenced in January to a year in federal prison for selling patient
information he improperly accessed (see:Selling Records for Profit
Alleged).

Two other co-conspirators in the incident, including Munroe's wife
Katrina, who was a former insurance worker at Florida Hospital
Celebration, and Sergei Kusyakov, who was involved with the operation
of two Florida chiropractic centers, also pleaded guilty. Kusyakov,
who authorities allege paid Munroe for the stolen patient information,
was recently sentenced to four years in federal prison. Katrina Munroe
awaits sentencing in July.

Lawsuit's Allegations

The class action lawsuit, filed April 9 in the U.S. District Court in
Orlando, Fla., alleges that "Florida Hospital breached its statutory
obligation and express promise by maintaining its patients' sensitive
information in anelectronic database that lacked crucial - and
statutorily required - security measures and protocols, in addition to
failing to adequately train and monitor its employees access to
sensitive information."

The lawsuit alleges that Florida Hospital employees were "able to
easily gain access to the sensitive information of thousands of
patients across 22 campuses using nothing more than employer provided
log-in credentials, even though they were not authorized to access
such information."

A spokeswoman for Adventist said on April 15 the organization had not
yet been served court papers and declined to comment.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.