Health Data Theft Case Prompts LawsuitSuit Alleges Adventist Health Failed to Protect Information
Adventist Health System faces a class action lawsuit seeking damages for failure to safeguard the HIPAA-protected information of 763,000 patients at several of its hospitals in Florida.
At the heart of the lawsuit is a breach that involved a former emergency department worker of Florida Hospital Celebration. Over a two-year period from 2009 to 2011, the worker improperly accessed the electronic records of more than 763,000 patients treated at several Florida Hospital locations and sold personal information on about 12,000 patients to a co-conspirator, law enforcement officials say. That information was used to solicit legal and chiropractic services for patients involved in motor vehicle accidents, according to law enforcement officials (see: Prison Time for Health Data Theft).
The class action lawsuit seeks unspecified damages for individuals whose sensitive information was inappropriately accessed. It also asks the court to order Adventist to protect all data collected in compliance with HIPAA and industry standards.
Florida Hospital Celebration is one of 37 hospitals in the Adventist network.
Selling Data For Profit
The former hospital worker, Dale Munroe II, pleaded guilty and was sentenced in January to a year in federal prison for selling patient information he improperly accessed (see: Selling Records for Profit Alleged).
Two other co-conspirators in the incident, including Munroe's wife Katrina, who was a former insurance worker at Florida Hospital Celebration, and Sergei Kusyakov, who was involved with the operation of two Florida chiropractic centers, also pleaded guilty. Kusyakov, who authorities allege paid Munroe for the stolen patient information, was recently sentenced to four years in federal prison. Katrina Munroe awaits sentencing in July.
The class action lawsuit, filed April 9 in the U.S. District Court in Orlando, Fla., alleges that "Florida Hospital breached its statutory obligation and express promise by maintaining its patients' sensitive information in an electronic database that lacked crucial - and statutorily required - security measures and protocols, in addition to failing to adequately train and monitor its employees access to sensitive information."
The lawsuit alleges that Florida Hospital employees were "able to easily gain access to the sensitive information of thousands of patients across 22 campuses using nothing more than employer provided log-in credentials, even though they were not authorized to access such information."
A spokeswoman for Adventist said on April 15 the organization had not yet been served court papers and declined to comment.