HIPAA Breach Spawns Class Action Lawsuit


The theft of unencrypted laptop computers from a vendor that handles billing and patient payment collections for Los Angeles County has now resulted in a class action lawsuit.  The Los Angeles Times reported that the suit alleges patients were not timely notified and that the free credit monitoring being offered by the vendor is not sufficient.

The theft of five laptops occurred on February 5, 2013.  It resulted in a HIPAA breach affecting approximately 168,500 individuals.  Information contained in the unencrypted computers included Social Security numbers, demographic data, billing information, dates of birth and medical diagnosis.

The lawsuit alleges violations of California state laws, and is seeking an unspecified figure for damages, attorneys’ fees and appropriate injunctive relief.

According to an article on healthcareinfosecurity.com, one of the attorneys for the plaintiffs, Genie Harrison, stated that discovery will move forward regarding details of physical security at the vendor’s offices as well as why encryption and other safeguards were not utilized.  In addition, “We’ll get a copy of the contract [the county] had with Sutherland, and obtain information about the obligations they had for their client,” she says.

While HIPAA does not provide for a private cause of action, state laws may provide an avenue for individuals to seek relief in court.  In this case, the plaintiffs argue that California state laws regarding breach notification require that individuals be notified immediately and that this was not done.  In addition, plaintiffs are arguing that California privacy laws were violated.

Speak Your Mind