Last month Health Quest was the latest in a growing line of Health Care systems and providers to get sued for failing to safeguard patient sensitive and private data. This data included, among other things, patient names, dates of birth, social security numbers, driver’s license numbers, financial account information, payment card information, PINs and security codes, health care provider names, dates of medical treatment, and treatment and diagnosis information.

The breach occurred in July 2018 when an unauthorized individual gained access to several employees email accounts through a phishing scam. An independent investigation by a cybersecurity firm took place and customers were notified in the spring-summer timeframe of 2019. More potential compromises of accounts were discovered in the fall of 2019, and those individuals were not notified until January of 2020.

The plaintiffs allege in their complaint that the failure to safeguard was based upon a duty owed to them by Health Quest under the terms of their own policy, HIPAA protocols, and common law.  Health Quest, according to the document was grossly negligent in failing to follow industry standards and regulations as noted below:

Defendants committed the minimum following acts and omissions of negligence in connection with the conduct and events alleged herein:

  1. Defendants failed to exercise reasonable care to safeguard and protect sensitive personal data and confidential health information;
  2. Defendants failed to protect against reasonably anticipated third party cyber threats, including “phishing” attacks;
  3. Defendants failed to adequately fund, implement, monitor, audit and oversee the security of their information systems;
  4. Defendants failed to prevent the unauthorized access and/or disclosure of electronic patient sensitive personal data and confidential health information;
  5. Defendants failed to apply reasonable policies and procedures so as to ensure data privacy and patient confidentiality;
  6. Defendants failed to properly train their agents, servants and employees how to safeguard sensitive personal and protected health information.
  7. Defendants failed to timely warn patients of the Security Breach;
  8. Defendants concealed the true nature and scope of the Security Breach; and
  9. Defendants failed to comply with industry standards in maintaining the security of sensitive personal data and confidential health information, and notifying patients that such information was compromised.

The complaint, as we have seen in other recent cases, alleges the time it took to notify the plaintiffs was unreasonably long, thus exposing their information longer than necessary.

Plaintiffs in this case seek both declaratory and injunctive relief – in other words, they want to know how this happened, proof that it is not happening now, and what Health Quest is going to do to protect their information in the future.

As with any negligence case, there must be a showing of harm to the plaintiff. In this matter, the complaint alleged damages to be determined at trial, due to the unknown amounts of harm suffered by the plaintiffs due to the data breach.

While spending your time protecting your identity due to a breach of data along with the incidental costs of doing so amounts to some dollar figure, the speculation of collecting on potential future harm of the breach is a difficult topic the legal world is still wrestling with in various jurisdictions. In the recent OPM breach case, the D.C. Circuit Court validated the plaintiff theory that exposure to an increased risk of future harm constitutes the “injury” necessary to confer standing on data breach victims. This seems to be in some conflict with Supreme Court decisions, although the Supreme Court was not addressing data breaches in their ruling. It will be interesting to see going forward how this issue will be decided.

Related News

Joe Jabara, JD, is the Director, of the Hub, For Cyber Education and Awareness, Wichita State University. He also serves as an adjunct faculty at two other universities teaching Intelligence and Cyber Law. Prior to his current job, he served 30 years in the Air Force, Air Force Reserve, and Kansas Air National Guard. His last ten years were spent in command/leadership positions, the bulk of which were at the 184th Intelligence Wing as Vice Commander.