Costly End to 17-Year-Old Breach CaseTenet Healthcare, Plaintiffs Reach $32.5 Million Settlement
A settlement finalized this past week in a class action lawsuit filed in 1997 against Tenet Healthcare for a privacy breach involving thousands of patients' paper records offers important lessons for healthcare providers today.
See Also: HIPAA Audits: A Revised Game Plan
One key takeaway from the settlement is that while most healthcare organizations have been moving to safeguard electronic health records and other digital platforms, millions of paper records remain in their institutions that need proper safeguarding. Those paper records contain patients' protected health information, including those from closed facilities and in storage.
Patient electronic data stored on old computer equipment also need to be properly disposed by healthcare providers or their business associates, or else risk breaches that potentially can turn into costly and protracted lawsuits or enforcement actions by government regulators.
"This case is a good reminder that while people focus on electronic information, paper records still need to be protected, as does digitized information from closed operations," says Elizabeth Hodge, a compliance attorney for the Akerman law firm.
The $32.5 million settlement between the Dallas-based hospital chain and plaintiffs is the end of a class-action suit that was filed in a New Orleans court 1997. The suit focused on a breach that occurred in April 1996 when boxes of medical and mental health records for more than 5,600 patients were found discarded in the parking lot of a Louisiana psychiatric center. That facility, which at the time had recently been shut down, was owned by Tenet Healthcare. The documents contained patient names, diagnoses, medication, treatment and financial data.
The suit charged that the breach, which occurred before the HIPAA privacy rule took effect in 2001, was an invasion of the plaintiffs' privacy.
A lawyer representing the plaintiffs, Alex Ducros of the Orrill, Cordell and Beary law firm, issued a statement saying his clients were satisfied with the terms of the settlement "that provides all class members who have suffered harm the opportunity to recover fair compensation has been reached."
The settlement established a fund from which each of the 5,649 plaintiffs will receive $1,000. The remainder of the settlement money will cover lawyer fees and administrative costs accumulated over 17 years.
Tenet, in a statement, says it agreed to resolve the matter related to a hospital it had sold nearly two decades ago. "The matter has been litigated through the Louisiana state court system for 17 years," the Tenet statement says. "While we do not agree that the action was suitable for class treatment, we made the business decision to bring this matter to resolution."
The case against Tenet stretched for nearly two decades, in large part, to multiple appeals that were filed during various stages of the litigation. "This case is extreme in the length of time it took, but it shows how complex breach suits can be," Hodge says.
Privacy attorney Adam Green says the case demonstrates some of the challenges presented by class action suits regarding information breaches. "Even though there is minimal case law that actually finds in favor of plaintiffs with respect to information security breaches, they can still lead to very costly settlements and time-consuming litigation that can drag on for years - or, in this case, decades," says Green of the Davis Wright Tremaine law firm. "I do think this case is very unusual, though, with respect to how long the litigation lasted. Other data breach class actions that settled have done so far sooner, such as five years after the incident."
Among recent class action lawsuits was a $3 million settlement in October 2013 between AvMed, a health plan company, and plaintiffs in a case stemming from a 2009 data breach that affected 1.2 million individuals (see Settlement In AvMed Breach Suit). That case involved two stolen unencrypted laptops containing AvMed health plan member names, addresses, Social Security numbers and medical information.
Beware of Regulators
While the Tenet breach involving the improperly discarded paper records happened before the HIPAA privacy rule became law, those kinds of incidents can surely draw the attention of federal regulators for expensive enforcement actions today. "The Office for Civil Rights has been picking cases like these to serve as a teaching tool," Hodge says of the agency within the Department of Health and Human Services that enforces HIPAA.
In June, for example, OCR slapped Parkview Health System with a $800,000 HIPAA settlement as a result of an incident in June 2009 involving the paper medical records of 5,000 to 8,000 patients. Parkview, a not-for-profit organization serving northeast Indiana and northwest Ohio, employees had left 71 cardboard boxes of patient records at the end of a driveway of a physician's home, within 20 feet of the public road (see $800,000 Penalty For Paper Records Breach).
Another important lesson coming from the Tenet case is that it's not just the healthcare sector that's dealing with a need to protect sensitive information that's on paper. "Nearly a third of breaches involve paper...and this is a problem across many industries," says attorney Beth Diamond, global claims team leader at Beazley, a provider of cyber insurance says. "This case is a reminder of the need to mitigate risk, including having [data] destruction policies, and training workers."
Diamond says the Tenet case also proves "you don't have to have a breach affecting a million people for these cases to turn into tricky litigation that is costly to defend and resolve."