By Jack Anderson
March 19, 2014
The same old story; covered entity doesn’t manage their business associate, business associate stores PHI data on unencrypted computers, thieves steal the computers, a class action lawsuite is filed. The ounce of prevention was a few thousand dollars and the cure will be in the millions. Undoubtedly there is a BA agreement in place and the BA attested that they were HIPAA compliant. The BA agreement was then filed and forgotten by both the covered entity and the BA. Not long ago another California company ended up filing bankruptcy because of a similar breach.
Are you really willing to bet your company that nothing bad will happen with the PHI data you access? What if the covered entity asks you to provide a copy of your most recent HIPAA risk assessment or copies of your policies and procedures updated to reflect the changes in the HIPAA Omnibus Rule? They have the right to ask for these and their law firms are telling them that they must start monitoring their business associates. Many covered entities are also adding indemnification clauses to their BA agreements that shift responsibility to the BA if there is a breach no matter who caused the breach.
It is time to get serious about HIPAA compliance and Compliance Helper is here to help. Check out the videos at www.complianchelper.com and find the level of service and price that fits your organization. With programs starting at $99 we have a solution for all BAs and CEs.
Here is the complete article:
Class Action Suit Filed in L.A. Breach Seeking Damages in Wake of Computer Theft Incident
By Marianne Kolbasuk McGee, March 19, 2014. Follow Marianne @HealthInfoSec
A class action lawsuit has been filed against Los Angeles County and a vendor that handles patient billing and payment collections for the county’s departments of health services and public health in the wake of a breach last month affecting 168,500 individuals.
The breach was the result of a Feb. 5 theft of eight unencrypted desktop computers from the Torrance, Calif. office of Sutherland Healthcare Services, the billing and collections business.
Sutherland and the county began notifying breach victims of the incident on March 6, about a month after the theft (see: L.A. Breach Linked to Stolen Computers).
Information contained on the computers included patients’ names, Social Security numbers and billing information. In addition, the stolen computers may have also contained the date of birth, addresses, diagnoses and other medical information for some patients.
The suit, which alleges violations of various California laws, was filed by attorneys for one unnamed plaintiff on behalf of the class of other individuals also impacted by the breach. That plaintiff is only identified in the suit as an adult female whose identity is being protected “due to the privacy breaches alleged,” say documents filed in the Superior Court of California in Los Angeles County on March 14. The case is seeking an unspecified figure for damages, attorney’s fees and appropriate injunctive relief.
Genie Harrison, lead trial attorney of Genie Harrison Law Firm, one of the two law firms representing the plaintiffs, tells Information Security Media Group that the next step in the suit is for the court to rule on whether the case can proceed as a class action.
In the meantime, the case will undergo discovery phase to determine details of the incident, she says. Those details range from the physical security that was in place at Sutherland’s offices, why encryption and other safeguards were not implemented, and L.A. County’s oversight of its vendor. “We’ll get a copy of the contract [the county] had with Sutherland, and obtain information about the obligations they had for their client,” she says.
Suit Details
Among the multiple complaints in the suit is that Sutherland and L.A. County failed to notify breach victims in a timely way. “Victims should’ve been notified as soon as [the organizations] knew” of the breach, she says. Medical facilities in California have an obligation to notify breach victims within five business days of detecting a breach, she says, referring to California Health & Safety Code 1280.15.
The suit also cited violations of a number of other California statutes, including those related to the Confidentiality of Medical Information Act, fair business practices, and various consumer and privacy regulations.
Additionally, the one year of free credit monitoring being offered to affected individuals by Sutherland and L.A. County as part of their breach response is “woefully inadequate,” Harrison contends. “What happens if identity information is sold on the black market? Identity theft could go on for victims five or 10 years from now because of this breach,” she says.
The L.A. County department of public health declined to comment on the case. Sutherland did not reply to a request for comment.