Lax EHR security leads to patient lawsuit against hospital

A former patient of Florida's Adventist Health System has filed a lawsuit against the provider for failing to protect patient data contained in its electronic health record system.

The lawsuit, filed April 9 in federal court by Richard Faircloth, claims that Adventist's EHR system lacked "crucial" and legally required security measures, and that Adventist failed to adequately train staff, monitor employees' access and segment and control the EHR data base. That, according to the lawsuit, enabled employee Dale Munroe to inappropriately access the records of 760,000 patients. Ordinarily an employee would access 12,000 records in the same time period.

Munroe, who had worked in the emergency department of Adventist's Celebration Hospital, accessed the records throughout the system's 22 campuses, then sold the patient information to outside lawyer referral services and chiropractors. When he was finally fired by Adventist, Munroe's wife, who also worked for the System, picked up where Munroe left off.

Munroe, in January, was sentenced to one year in prison for the thefts.

The lawsuit is seeking class action status, injunctive relief and damages. Faircloth also claims that because of Adventist's security failures, he paid more for services than he should have.

The release of the final rule implementing many of the privacy and security provisions of the HITECH Act will lead to increased enforcement of HIPAA and private actions from patients. 

Florida's Adventist system already is in legal hot water, having been accused by a whistleblower lawsuit of overbilling the government millions of dollars in violation of the fraud and abuse laws. The whistleblower suit goes to trial this December. In 2012, four of its hospitals paid $3.9 million to settle allegations that it submitted false claims.

To learn more:
- read the complaint (.pdf)