Dive Brief:
- Florida Hospital, a not-for-profit health system based in Orlando, is battling two possible class-action lawsuits stemming from two separate breaches of patient data that occurred during the past four years.
- The system has submitted motions in an attempt to get both cases tossed out.
- The more recent case cites the first as evidence that the hospital has been aware of its security issues for some time.
Dive Insight:
Florida Hospital has raised a strong point against the lawsuits: that the plaintiffs in the cases have not actually been the victims of identity theft (so far).
The cases argue that the patients had "expected and paid for" data security as part of their arrangement with the hospital. However, the hospital's attorneys disagree, and contend that the affected patients can't enforce HIPAA laws through private civil action, and that the hospital can't be sued for "increased risk of identity theft."
Both breaches involved hospital employees. The first, which was revealed in 2011, involved two employees who sold relevant data to lawyers and chiropractors. They both lost their jobs and faced criminal charges.
The second breach, which was revealed in 2014, centered around two employees who printed portions of medical records for at least 9,000 patients during a period of about two years. They also lost their jobs but were not named in the lawsuits.