January ended with a bang for two breached Covered Entities, Health Quest and Tidelands Health, who are receiving lawsuits following their protected health information breaches. It is reported that many Health Quest employees fell to a phishing attack, while Tidelands Health was compromised by a ransomware attack. Neither case has been settled by the Office of Civil Rights (OCR), which supports our documented trend of patients filing civil lawsuits ahead of the two+ year OCR investigation process.
Notably, Health Quest reportedly failed to notify those patients affected within 60 days. The compliant alleges that Health Quest " failed to exercise reasonable care in securing and safeguarding their patients’ sensitive personal data." While HIPAA does not provide direct legal rights to bring a suit, courts have used HIPAA as an information standard of care to determine whether a defendant used reasonable and appropriate safeguards to protect their information enterprise. The lawsuit also addresses the delayed patient reporting and accuses Health Quest of violating industry standards and common law.
Tidelands Health must defend itself against allegations of disrupted healthcare operations, and disclosing and losing patient medical records. One plaintiff blamed Tidelands Health for being denied medical treatment following the breach and another claimed that she was repeatedly delivered food items she could not consume as a result of those notes not being made available to caregivers.
Neither breach here is a "feel good" story - and there are no winners. But as we continue to witness myriad medical community organizations running non-compliant, non-secure programs, we feel motivated to continue reporting what could happen. Click the graphic below if you want to know how to lower your risk of a damaging civil lawsuit or OCR corrective action plan.
Stay (HIPAA) safe,