Lawsuit Filed in BA Breach Involving FraudMedical Billing Company Incident Led to Income Tax Fraud
Lawsuits are routinely filed on behalf of the victims of health data breaches. But relatively few of these lawsuits target business associates, rather than healthcare organizations. And even fewer involve cases with evidence of fraud. That's why the breach-related lawsuit filed Aug. 4 against Intermedix Corp. is unusual.
See Also: HIPAA Audits: A Revised Game Plan
The company, which provides medical billing services to ambulance companies and emergency medical responders, experienced a breach involving a former employee, who ultimately was sentenced to prison in a federal income tax fraud case.
The lawsuit against Intermedix alleges, among other claims, that the company was negligent in protecting patient data, which led to the fraud. It also alleges that the the firm failed to promptly notify victims of the breach.
The suit is seeking class action status for two classes of individuals - those whose data was inappropriately accessed, and a subclass of those who are victims of identity fraud resulting from the breach. It seeks unspecified restitution and damages.
Yehnotan Weinberg, the lead plaintiff in the case, alleges that he was a victim of federal income tax fraud as a result of the breach.
But using evidence of tax fraud stemming from identity theft tied to a data breach to support a class action lawsuit seeking damages is "tricky because the government is often the actual victim," notes privacy attorney Kirk Nahra of the law firm Wiley Rein, who is not involved in the case. "Also, in other cases I have seen, the tax fraud affects a very small percentage of people whose information was potentially available to be accessed."
Proof of Damages?
Breach cases involving evidence of actual fraud are relatively rare, says privacy attorney Adam Greene of the law firm Davis Wright Tremaine.
"While for most breaches there is no clear evidence of harm, we have seen some cases where breaches resulted in actual fraud," he says. "Class actions often follow in those cases, and may be significantly stronger than the cases that we have seen dismissed due to a lack of proof of damages.
"Proving damages, though, is only one hurdle that the plaintiffs have to overcome. I do not recall yet seeing a settlement or verdict in a breach class action where there was clear evidence of fraud, as I believe the cases are still working their way through the system."
The suit against Advanced Data Processing, which provides billing services to ambulance companies and emergency services agencies under the Intermedix name, was filed on Aug. 4 in the U.S. District Court for the southern district of Florida.
Weinberg, the lead plaintiff, in 2012 sought emergency medical treatment and was taken to a hospital in an ambulance operated by Philadelphia Fire Department Emergency Medical Services, which engaged Intermedix to handle its billing, according to the lawsuit.
Among other claims, the suit alleges that Intermedix failed "to safeguard the sensitive personal information of potentially millions of emergency medical service patients, including their names, dates of birth, Social Security numbers, dates of medical services, health insurance information, and other protected health information as defined by HIPAA." The suit states that Intermedix processes billing for more than 15 million patients annually.
At the center of the suit is a 2012 breach involving a former accounts receivables worker at Intermedix, Ieshia Jordan, who pleaded guilty in February 2013 to charges of fraud conspiracy and wrongful disclosure of health information in violation of HIPAA, according to a Department of Justice statement issued at the time.
In June 2013, Jordan was sentenced to serve concurrently 30 months of federal prison time for those crimes, according to court documents filed in U.S. district court in Tampa.
Prosecutors say Jordan admitted stealing identifying information of individuals, including names and Social Security numbers, by accessing records at Intermedix without authorization. Jordan said she then gave the records to others to sell and use to file fraudulent tax returns, prosecutors say.
The lawsuit alleges that Intermedix "failed to supervise employees with access to patients' sensitive information [and] provide adequate protections and safeguards limiting access to this information. ..." In addition, the suit alleges that Intermedix "did not timely investigate or notify" victims of the breach until the company posted a notice of data breach on its website in late 2014.
A spokeswoman for Intermedix declined to comment on the class action suit, telling Information Security Media Group that as of Aug. 6, the company's legal department had not yet seen lawsuit documents.
The data breach notice posted by Intermedix on its website notes several steps the company is taking "to minimize the risk of future data breaches." That includes "making its employees aware of this incident, the company's systematic ability to catch them should they violate the trust placed in them, and the consequences to the individual involved, and has also reminded its employees of the importance of maintaining the security and confidentiality of individual records."
Unlike most companies that experience a health data breach, Intermedix apparently did not offer affected individual free credit monitoring or fraud protection services. Rather, the company's breach notice suggests impacted individuals "consider placing a fraud alert or security freeze on your credit report."
Christopher Dore, an attorney at the law firm Edelson PC, which is representing plaintiffs in the lawsuit, tells ISMG that "it's not clear how many [patient] records were accessed, but according to Intermedix, 27 agencies in 17 states may have been affected by the breach, and Intermedix processes millions of records per year." In addition, Weinberg, the lead plaintiff in the case, did not receive a notice from ADP or Intermedix, Dore said. "He was notified about the breach by Philadelphia Fire Department Emergency Medical Services in April 2015," nearly three years after the criminal incidents involving Jordan were discovered by law enforcement (see Tally Shows More Hacker Attacks).
A breach notice posted on April 3 on the website of the Philadelphia Fire Department says that on Oct. 2, 2012, Tampa police notified Intermedix that a company employee had allegedly illegally accessed and disclosed patient account information. The Fire Department said it did not learn that EMS data was among the account information stolen in 2012 until it received a call from law enforcement officials in February 2015.
The Department of Health and Human Services "wall of shame" list of major health data breaches shows that the Intermedix breach involving the Philadelphia Fire Department was reported to HHS on April 2, 2015, and affected more than 81,000 individuals.