melniklegal.com

List of Federal and State Actions Based on Data Breaches and other Privacy Violations

Since the passage of the HITECH Act in 2009, both the Office of Civil Rights (OCR), the primary regulator of HIPAA and States' Attorney's General have become more aggressive in enforcing the healthcare privacy rights of individuals. Similarly, the Federal Trade Commission (FTC) has become more aggressive in enforcing the privacy rights of all consumers.

This page is meant to serve as a resource to:

anyone interested in learning more about the actions that have been taken by regulators against companies who have lost or otherwise misused the information entrusted to them.
businesses who want to better understand their role and responsibilities in protecting consumer or client information and the types of incidents that may lead to action by regulators.

We have also included a selection and listing of data breach class action litigation (and settlement details as applicable) as well as other private actions where the privacy and security of PHI, ePHI, or other private information was an issue.

If you are aware of an incident that you do not see listed here, please contact us!

Actions based on the Health Insurance Portability and Accountability Act (HIPAA)

Because of a lack of technical safeguards, deactivation (from the network) of a personally-owned server containing the ePHI of 6,800 NYP patients resulted in the ePHI being accessible on internet search engines. The entities learned of the breach after receiving a complaint by an individual who found the ePHI of the individual's deceased partner, a former patient of NYP, on the internet.

Action by?	Action Against?	Incident - Problematic Activity	Incident Date	Date of Action	Grounds for Action	Fine - Amount	Resolution and Remediation
OCR	Cignet Health	Denying patients access to medical records	Prior to 3/1/2009		Violation of the Privacy Rule; Willful Neglect under the HITECH Act	$4.3 M	2/4/2011 (not a settlement) Filed suit with the District Court Notice of Final Determination
OCR	General Hospital Corp. & Physicians Org	Left documents on subway	3/9/2009		Violation of the Privacy Rule	$1 M	Settled: 2/14/2011 Resolution Agreement
OCR	UCLA Health System	Workers snooping on celebrity patients	Prior to 6/5/2009		Violation of the Privacy and Security Rules	$865,500	Settled: 7/5/2011 Resolution Agreement
OCR	Blue Cross Blue Shield TN	Unencrypted hard drives stolen from a leased facility	Prior to 11/3/2009 (self reported)		Violation of the Privacy and Security Rules	$1.5 M	Settled: 3/13/2012 Resolution Agreement
OCR	Phoenix Cardiac Surgery, P.C.	Posting clinical and surgical appointments for their patients on an Internet-based calendar that was publicly accessible	Prior to 2/19/2009	OCR notified Phoenix on 2/19/2009 that it would be investigating	Violation of the Privacy and Security Rules	$100K	Settled: 4/13/2012 Resolution Agreement
OCR	Alaska Department of Health and Human Services	Portable electronic storage device potentially containing ePHI was stolen from the vehicle of a DHSS computer tech	Oct. 12, 2009; self report - notified OCR on Oct. 30, 2009	OCR notified DHSS on 1/8/2010 that it would be investigating	Violation of the Security Rule	$1.7M	Settled: 6/25/2012 Resolution Agreement
OCR	Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (collectively, �MEEI�)	Theft of an unencrypted personal laptop containing the ePHI of MEEI patients and research subjects. (According to reports from Data Breach Today, "OCR launched its investigation of the Massachusetts hospital after it reported the February 2010 theft of a laptop computer belonging to neurologist Robert Levine, M.D., who was traveling in South Korea for a lecture.")	Prior to 4/21/2010 (which is the self-report date)	OCR notified MEEI on 10/5/2010 that it would be investigating	Violation of the Privacy and Security Rules	$1.5M	Settled: 9/17/2012 (announcement date) Resolution Agreement
OCR	Hospice of Northern Idaho (HONI) (first settlement involving fewer than 500 patients)	Theft of a laptop containing the ePHI of 441 individuals	Prior to 2/16/2011 (which is the self-report date)	OCR notified HONI on 7/22/2011 that it would be investigating	Violation of the Security Rule	$50K	Settled: 12/28/2012 Resolution Agreement
OCR	Idaho State University					$400K
OCR	Shasta Regional Medical Center					$275K
OCR	WellPoint Inc.					$1.7M
OCR	Affinity Health Plan, Inc.					$1,215,780
OCR	Adult & Pediatric Dermatology, P.C.					$150K
OCR	Skagit County, Washington					$215K
OCR	Concentra Health Services	Unencrypted laptop stolen from one of the company's facilities - Springfield Missouri Physical Therapy Center	11/30/2011	Notified OCR on 12/28/2011 OCR notified that will investigate on 5/31/2012	Violation of the Privacy and Security Rules	$1,725,220	Settled: 4/21/2014 Resolution Agreement
OCR	QCA Health Plan, Inc. of Arkansas	Unencrypted laptop computer containing the ePHI of 148 individuals stolen from a workforce member's car	Prior to 2/21/2012 Notified OCR on 2/21/2012	OCR notified that will investigate on 5/3/2012	Violation of the Privacy and Security Rules	$250K	Settled: 4/14/2014 Resolution Agreement
OCR	New York and Presbyterian Hospital (NYP) and Columbia University (CU) - separate covered entities that participate in a joint arrangement; refer to their affiliation as "New York Presbyterian Hospital/Columbia University Medical Center."	Breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing the ePHI of 6,800 NYP patients. Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines. The entities learned of the breach after receiving a complaint by an individual who found the ePHI of the individual's deceased partner, a former patient of NYP, on the internet.	Prior to 9/10/2010 Notified OCR on 9/27/2014	OCR notified that will investigate on 11/5/2010	Violation of the Privacy and Security Rules For details, see blog post.	NYP: $3,000,000 CU: $1,500,000	Settled: announced on 5/8/2014 Resolution Agreement with NYP Resolution Agreement with CU
OCR	Parkview Health System, Inc.	Medical records dumping - In Sept. 2008, Parkview took custody of medical records for approx. 5,000 to 8,000 patients while assisting a retiring physician to transition her patients to new providers, and while considering the possibility of purchasing some of the physician�s practice. On June 4, 2009, Parkview employees, with notice that the physician was not at home, left 71 cardboard boxes of these medical records unattended and accessible to unauthorized persons on the driveway of the physician�s home, within 20 feet of the public road and a short distance away from a heavily trafficked public shopping venue.	June 4, 2009	Doctor filed a report with OCR on 6/10/2009 OCR began investigation on 5/16/2011	Violation of the Privacy Rule	$800,000	Settled: announced on 6/23/2014 Resolution Agreement
OCR	Anchorage Community Mental Health Services	"[B]reach of unsecured electronic protected health information (e-PHI) affecting 2,743 individuals due to malware compromising the security of its information technology resources."	3/2/2012 (self report date)	OCR notified ACMH on 6/2/2012 that it would be investigating	Violation of the Security Rule For details, see blog post.	$150K	Settled: 12/2/2014 Resolution Agreement
OCR	Cornell Prescription Pharmacy	Improper disposal of paper records (throwing them into regular trash bin)	Prior to 1/11/2012 (through media report)	OCR notified Cornell on 1/13/2012 that it would be investigating	Violation of the Security Rule	$125K	Settled: 4/22/2015 Resolution Agreement

Action by the FTC under its Section 5 Authority

Actions based on State Law

Tabata v. Charleston Area Medical Center, Inc., Decision No. 13-0766, Civil Action No. 11-C-524 (Supreme Court of Appeals of West Virginia, May 28, 2014) (the Supreme Court of Appeals of West Virginia is the name of the Supreme Court in West Virginia)

Jurisdiction: West Virginia
Action against: Charleston Area Medical Center, Inc. and CAMC Health Education and Research Institute, Inc. (collectively, CAMC)
Action stems from: Data breach when a database operated by CAMC was placed online and the information could be found "if someone were to conduct an advanced internet search." The database "contained the names, contact details, Social Security numbers, and dates of birth of 3,655 patients, along with certain basic respiratory care information.�
Causes of action: (1) breach of duty of confidentiality; (2) invasion of privacy � intrusion upon the seclusion of the petitioners; (3) invasion of privacy � unreasonable publicity into the petitioners� private lives; and (4) negligence. Also filed a motion for class certification pursuant to W.Va. RCP 23.
Injuries claimed: Increased risk of identity theft and/or fraud, etc.
While discovery revealed that the plaintiffs were not aware of any unauthorized or malicious uses

State of California v. Kaiser Foundation Health Plan, Case No. RG14711370 (Sup. Ct. Cal. Jan. 2014)

California Attorney General lawsuit stemming from allegedly delayed notification in a data breach.

Selected Data Breach and Privacy Class Actions

See also the Tabata v. Charleston Area Medical Center, Inc case noted above in the State Action section
Vides v. Advocate Health & Hosps. Corp., Ill. Cir. Ct., No. 13-ch-2701 (2014)

Case dismissed on May 27, 2014 (copy of Decision) on a number of grounds including lack of standing (citing Clapper v. Amnesty Intern'l USA, 133 S.Ct. 1138 (2012)) and for failure to state a claim (because cannot demonstrate damages)

Jurisdiction: Illinois
Action against: Advocate Health and Hospitals Corporation d/b/a Advocate Medical Group (i.e., the covered entities) ("Advocate is a network of affiliated doctors and hospitals that systematically and regularly conduct business in and throughout Lake County Illinois.")
Action stems from: Data breach where four (4) unencrypted laptops containing patients� names, addresses, dates of birth, Social Security numbers, treating physician and/or departments for each individual, their medical diagnoses, medical record numbers, medical service codes, and health insurance information were stolen from one of Advocate's facilities
Causes of action: (1) Negligence; (2) Violation of Consumer Fraud and Deceptive Business Practices Act; (3) Invasion of Privacy by Public Disclosure of Private Facts; (4) Consumer Fraud Act; (5) Intentional Infliction of Emotional Distress; and (6) Injunctive Relief
Injuries claimed: Increased risk of identity theft and/or fraud, out-of-pocket expenses incurred to mitigate the increased risk of identity theft and/or fraud, time lost mitigating the increased risk of identity theft and/or fraud, loss of privacy, and anxiety and emotional distress

Springer v. Stanford Hospital and Clinics, Cal. Super. Ct., No. BC470522 (2014)

Settlement filed 3/13/14 (copy of Complaint)
Settlement terms:

$3.3M - paid by the business associate and subcontractor, see below, to affected patients (of which $1.3M are for attorneys' fee to three law firms)
$500,000 - paid by SHC to fund "the creation of an educational project aimed at helping to reinforce new federal regulations issued in 2013 that hold vendors directly responsible for privacy breaches" (BNA 23 HLR 440)
$250,000 - paid by SHC to cover the administrative costs of the settlement

Jurisdiction: California
Action against: Stanford Hospital & Clinics (SHC) and two business associates of SHC - Multi-Specialty Collection Services LLC (MSCS) and an MSCS contractor, Corcino & Associates (i.e., a subcontractor of a business associate)
Action stems from: Data breach where data from the emergency room visits of about 20,000 patients was left online and accessible to everyone for almost a year. An individual from the subcontractor posted live data to a homework help website in an effort to get assistance with creating a graph. The action was based on California's Confidentiality of Medical Information Act.