Damages Sought for 2014 Aventura Hospital HIPAA Breach

A patient has filed a lawsuit in a Florida Federal Court and is seeking damages following the 2014 Aventura Hospital HIPAA breach, according to a recent Courthousenews.com report. The suit names the defendants as Hospital Corporation of America (HCA) and Envision Healthcare Corporation, and has been filed after the plaintiffs personally identifiable information and Social Security numbers were in its 2014 data breach.

2014 Aventura Hospital HIPAA Breach Occurred Just One Day After Last Breach was Remediated

The breach was caused by a Business Associate of the hospital – Valesco Ventures – and exposed the data of 82,601 individuals. The breach started just one day after the healthcare provider’s last HIPAA breach was corrected after the data of 2,560 patients was exposed. Earlier last year the hospital also suffered a 948-patient data breach.

The patient, Kellie Lynn Case, is alleging that she is one of a large number of patients whose data had been provided to the defendants on the understanding that it would be kept safe, with the appropriate safeguards employed to protect that data. However, she is alleging that those safeguards were not put in place.

The lawsuit cites many failures which have violated Health Insurance Portability and Accountability regulations in addition to Industry Standard Protection Protocols.

The suit argues that there were numerous failures by the defendants to secure data, which included a lack of staff training on Privacy and Security Rules and insufficient supervision of staff, the latter enabling confidential data to be stolen and used improperly.

Under HIPAA regulations, all covered entities – of which Aventura is one – are required to implement the appropriate technical, administrative and physical controls to keep electronic and hard copies of Protected Health Information and personal identifiable information secure.

Damages Sought for Breach of Contract

Previous claims for damages following HIPAA breaches have not been successful due to the difficulty in proving damage or harm caused by the breach. This suit differs as the case is not for the exposure of data; Case is seeking compensation as a result of a breach of contract and a breach of implied contract after the 2014 Aventura Hospital HIPAA breach, and she is also alleging unjust enrichment for failing to implement the safeguards to protect her data after she had specifically paid for them.

She claims she was required to pay an additional cost in order for Aventura to provide the security services it detailed in its Notice of Privacy Practices; however it was only after its third HIPAA breach that the healthcare provider increased security. Case is claiming she paid for the services on the understanding that her privacy was protected, and that she would not have paid, or at least paid less, had she known that the protections would not be put in place.

Author: NetSec Editor