Settlement by Advent Health Partners and Lawsuits Against Louisiana Health Systems, UHC and Ripta

Advent Health Partners Offers $500,000 Settlement for Class Action Data Breach Lawsuit

The health system, Advent Health Partners, based in Nashville, TN has offered to pay $500,000 to settle claims associated with a September 2021 data breach affecting the protected health information (PHI) of 61,072 patients.

Advent Health Partners discovered the email account breach at the beginning of September 2021. The investigation revealed that hackers got access to, and likely stole, the PHI of patients for example names, driver’s license information, Social Security numbers, birth dates, medical insurance, medical treatment details, and financial account data. Impacted individuals received notifications regarding the incident in March 2022, and were given credit monitoring services for one year.

Advent Health Partners is now facing the McHenry v. Advent Health Partners, Inc. Lawsuit, which was filed in the U.S. District Court for the Middle District of Tennessee because of the breach. Allegedly, the health system did not use reasonable and proper cybersecurity procedures, in spite of knowing the potential risks of phishing attacks on healthcare companies. The lawsuit additionally complained about the long time it took to inform impacted patients. The healthcare provider detected the breach at the beginning of September 2021, but Advent Health Partners only announced the breach on its website in February 2022. It sent the breach notification letters in March 2022, which is 6 months after discovering the breach. The lawsuit additionally claims the notifications were lacking even fundamental information regarding the data breach, and the offer of credit monitoring services for 12 months were not enough.

The lawsuit claims the inability to secure patient information and the late issuance of notifications broke Tennessee law. The lawsuit likewise claims the health system was unable to adhere to the federal requirements of HIPAA and was unable to follow FTC rules for securing sensitive information. The lawsuit purported negligence, unjust enrichment, and third-party beneficiary contract breach..

Advent Health Partners decided to resolve the lawsuit to steer clear of additional legal expenses and did not admit any wrongdoing. With the stipulations of the settlement, there will be a ready $500,000 fund to pay for claims and legal expenses. Eligible individuals may submit claims for return of ordinary expenditures up to $750 for each class member. Claims may include reported losses like out-of-pocket expenditures, charges for credit reports and credit monitoring from September 1, 2021 to April 20, 2023, and around four hours of lost income at $18 an hour. Claims may likewise be filed up to as much as $5,000 per class member for refund of extraordinary losses that were not refunded yet, including losses to identity theft and fraud. Class members also get credit monitoring services for 3 years.

The last day for objection to or exemption from the offer is March 21, 2023. Individuals may submit claims until April 20, 2023. The schedule of the final approval hearing is April 14, 2023.

Louisiana Health Systems Faces Lawsuit for Pixel-Associated Disclosures of Patient Data

Two Louisiana health systems were sued for using pixels on their web pages, which purportedly captured and impermissibly shared patient information with third parties like Instagram and Facebook. LCMC Health System based in New Orleans manages 9 hospitals around Southern Louisiana and Willis-Knighton Health System based in Shreveport manages 5 hospitals around Northwestern Louisiana. The two health systems are the defendants in a lawsuit, which the Herman Herman & Katz law firm lately filed on behalf of plaintiff John Doe, and likewise affected persons.

The lawsuit claims the health systems put Metal Pixel code on their web pages, which enabled the capture of the sensitive personal data and protected health information (PHI) of users. The code is usually employed for monitoring user activity on websites to enhance the performance of websites and better user experience; nevertheless, the tracking code at the same time sends information to Meta and that data is possibly accessible to third parties for marketing uses on its Instagram and Facebook social media accounts.

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) lately said that using tracking technologies on web pages with no business associate agreement (BAA) or patient consent violates HIPAA. A lot of health systems are using tracking technologies like the Metal Pixel code and on their web pages and apps. A few of them are reporting impermissible disclosures to OCR, as stated in the HIPAA Breach Notification Rule. So far, the two health systems have not reported any breach to OCR.

The lawsuit claims the health systems did not acquire consent from website users prior to putting the code, and the privacy violation likely continued for a number of years. The lawsuit alleges the code sent the sensitive information of thousands of people without them knowing it . The information was allegedly employed to provide targeted ads associated with the medical conditions revealed through the websites, for instance when inputting details to book consultations.

Although OCR has stated that impermissible disclosures are HIPAA violations, HIPAA does not have a private cause of action, thus patients are not able to sue with regard to HIPAA violations. The lawsuit doesn’t involve HIPAA, rather it says the disclosures broke Louisiana legislation, which in general forbids sharing personal health data with third parties with no permission. The lawsuit states that using these technologies with no permission is a major privacy violation and requires the health systems to remove the tracking codes. Any revenue from the transmitted information will be for the victims, and for payment of damages. The two health systems already know about the lawsuit, intend to defend against the plaintiffs’ allegations, and stated they are seriously dedicated to securing patient privacy.

ACLA Extends Class Action Lawsuit Against UnitedHealthcare New England and RIPTA

The American Civil Liberties Union of Rhode Island (ACLU of RI) has modified the complaint it filed against the UnitedHealthcare New England (UHC) and Rhode Island Public Transit Authority (RIPTA) in their imminent class action lawsuit in relation to the August 2021 data breach. RIPTA is an agency of the state of Rhode Island that manages its public bus service. In August 2021, an unauthorized third party accessed its computer network and stole data files with sensitive employee data, such as names, Social Security numbers, and other private data and health information.

RIPTA sent notifications to around 22,000 impacted persons after 4 months of discovering the data breach. However, a lot of those who got notification letters did not have any connection with RIPTA. It was eventually mentioned that the data of around 5,000 RIPTA workers were exposed, together with the information of 17,000 non-RIPTA workers. RIPTA kept the information of 17,000 workers of other state agencies after RIPTA mistakenly received the information from UHC.

ACLU of RI sued RIPTA and UHC because of the data breach, which at first had two plaintiffs: an employee of the University of Rhode Island and a retired employee of RIPTA. The two were impacted by the data breach. The plaintiffs were a representative of a class of over 20,000 people. The lawsuit claims RIPTA and UHC failed to appropriately maintain, secure, clear away, and securely delete information, violating two Rhode Island regulations. Additionally, the notification letters didn’t have adequate data regarding the breach, RIPTA inaccurately posted on its website that only health plan beneficiaries were impacted, and breach notifications were issued 138 days after discovering the breach, violating state law which demands sending of data breach notifications in 45 days.

The lawsuit claims the plaintiffs and class members are faced with an impending threat of fraud and identity theft, which necessitates them to continuously keep track of their financial accounts, credit information, future financial footprints, and identities. Following the data breach, one plaintiff suffered from the fraudulent usage of her credit cards and unauthorized withdrawals from her bank account. The revised complaint further added eleven plaintiffs to the suit as class representatives and points out the problems caused by the breach, which for a number of persons includes losing thousands of dollars. A few of the stolen information were found on the dark web. The modified complaint likewise included information about the complaints of RIPTA workers from a January 2022 hearing. UHC representatives failed to attend that hearing. But it was confirmed that encryption was activated only after the data breach. The following data: Medicare ID numbers, names of providers, and (dates of service) were breached. In spite of the data breach happening over 18 months ago, it is still uncertain why UHC gave RIPTA the information of non-RIPTA workers or why it took a long time to issue the notification letters.

The lawsuit desires compensatory and punitive damages, attorneys’ charges, credit monitoring services for 10 years, and the courts to request the defendants to use an extensive data security program.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone