IT error leads to $31.8 million lawsuit against hospital
A class action lawsuit was recently filed against St. Joseph Health System of Orange, CA, after an IT error allowed private medical information about 31,800 patients to be searchable by the public online.
The suit, filed by two allegedly affected patients in Sonoma County Superior Court, seeks $1,000 in damages per patient, for a total of $31.8 million. The complaint claims the health system was negligent and failed to preserve the confidentiality of the patients’ information, in violation of California’s Confidentiality of Medical Information Act.
This suit is one of five that have been filed against St. Joseph Health, the Santa Rosa Press Democrat reports.
The security incident was first reported in early February, when patients were notified that their data had been breached. Information made searchable included patient names, lab results and diagnoses, among other data.
One of the patients who filed the lawsuit discovered the breach on her own after she conducted a Google search for her own name and found her medical information on a hospital’s website.
How did that information end up becoming accessible through Google searches? One issue was that the data was held in the health system’s network without being password-protected or encrypted. In its initial notification to patients, St. Joseph Health acknowledged that security settings were “incorrect,” allowing the information to be searchable.
As this case shows, errors in setting security and other configurations can cause huge problems for healthcare organizations. A similar lesson was learned in a breach of information in Utah’s Medicaid system, when an unspecified configuration error left data about nearly 800,000 individuals open to attack from data thieves.
- Hard drive theft leads to $1.5 million fine for privacy violations
- Stolen laptop leads to $1.5 million HIPAA fine
- Who’s liable after patient data is breached?
- Patient data lost on way to third-party – hospital pays $750,000
- Hospital employee sold 40 patients’ protected health information
Below are a few free resources you may find useful.