Tenet Health Data Breach: Lawsuit Settled for $32.5 Million

Seventeen years after the Tenet health data breach, the lawsuit brought against the company by the victims whose PHI was exposed has been settled for $32.5 million.

Data breach costs are difficult to calculate accurately as it often takes many years for the true costs of a data breach to become known, as Tenet Health could testify; some 17 years after it suffered a HIPAA breach, Tenet health data breach costs can finally be determined. The company has reached a settlement in a class action lawsuit that was first filed by the victims in 1997. The case has just been settled for $32.5 million. Tenet will be able to calculate the total cost of the breach, although this information has not been made public.

The lawsuit was filed by the victims of a HIPAA violation where patients of the JoEllen Smith Psychiatric Center had their medical files dumped outside Tenet’s Algiers facility in full view of the public. The files contained highly confidential information relating to the mental health issues suffered by the patients; information that could be highly damaging – both mentally and financially – if the information was divulged to the wrong individual. In some cases, even the disclosure could lead to some of the patients coming to physical harm.

The breach was explained as resulting from an error made during the closure of one of Tenet’s facilities. The center was stripped and the material was left outside the shuttered building awaiting collection by a contractor. However, a number of boxes of files containing confidential patient records were accidentally dumped with the material in front of the facility.

Thousands of patients’ files were exposed in the security breach. In addition to mental health information, the files contained names of the patients, admission logs, treatment dates, medical diagnoses and in many cases, financial information. However, there were also logged calls from the psychiatric health crisis telephone helpline. The confidential helpline is used by callers with serious mental health issues, and their names and numbers were also logged in those files.

The attorney for the plaintiffs, Ray Orrill Jr, said “There were enough documents out there to fill the bed of a pickup truck with cases of records stacked two (cases) high.” However, to make matters worse, the material was not demolition rubbish and items of value were also dumped outside. There were filing cabinets and lighting, and some local residents had already started taking some of the items. The potential for the records being accessed or stolen was very high.

Some data was disclosed, as some of the records were found lying in the street, which is how the violation was uncovered. A local resident noticed some records on the ground and recognized one of the names. A number of documents were removed from the scene by two former employees, and that data was used as evidence in the case.

As is standard in class action claims of this nature, $1,000 per victim was agreed with the total Tenet health data breach costs being $32.5 million. Tenet is required to pay the money into a fund which will be used to pay out compensation to all of the victims, although since the case has taken so long to resolve not all of the victims will still be alive to make their claims. Should there be any surplus it will be returned, but Tenet Health may have pay more money into the fund if is discovered that any of the victims have suffered loss or damages as a result of the improper dumping of PHI.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news