Patients file lawsuit against UConn Health over data breach impacting 300K patients

Department of justice
UCLA Health also faced a class action lawsuit for a May 2015 data breach and recently agreed to a $7.5 million settlement. (William_Potter/Getty Images)

The first lawsuit stemming from a February announcement that the University of Connecticut Health Center suffered a data breach impacting patient data has been filed in federal court.

UConn Health patient Yoselin Martinez filed a class action lawsuit on March 18 on behalf of herself and other former and current patients impacted by the breach. UConn Health announced on Feb. 25, nearly two months after the breach occurred on Dec. 24, that a hacker had gained access to employee email accounts through a phishing attack and exposed the personal data of more than 326,000 patients.

The information exposed included some personal and medical information, including some patients’ names, dates of birth, addresses and limited medical information, such as billing and appointment information. The lawsuit alleges that patients’ Social Security numbers were also exposed.

Free Daily Newsletter

Like this story? Subscribe to FierceHealthcare!

The healthcare sector remains in flux as policy, regulation, technology and trends shape the market. FierceHealthcare subscribers rely on our suite of newsletters as their must-read source for the latest news, analysis and data impacting their world. Sign up today to get healthcare news and updates delivered to your inbox and read on the go.

UConn Health officials did not immediately respond to a request for comment.

UCLA Health recently reached a proposed $7.5 million settlement for a class action lawsuit stemming from a massive data breach in May 2015 that potentially impacted 4.5 million patients.

Martinez alleges in the lawsuit that UConn Health failed to properly secure and safeguard patients’ personally identifiable information and failed to provide timely, accurate and adequate notice that their information had been compromised.

RELATED: Health IT Roundup—UConn Health data breach impacts 300,000 patient records; Cedars-Sinai pilots Amazon Alexa in patient rooms

“UConn disregarded the rights of plaintiff and class members by intentionally, willfully, recklessly, or negligently failing to take adequate and reasonable measures to ensure its data systems were protected,” the lawsuit states. “The deficiencies in defendants’ data security protocols were so significant that the breach likely remained undetected for months. Intruders, therefore, had months to access, view, and steal patient data unabated. … Timely action by UConn would likely have significantly reduced the consequences of the breach.”

“Among other things, [UConn Health] failed to exercise reasonable care, and to implement adequate cybersecurity training, including, but not limited to, how to spot phishing emails from unauthorized senders,” according to the lawsuit.

In the lawsuit, Martinez alleges that shortly after being notified of the data breach in February, she checked her bank account, which had been overdrawn. Bank officials said the charge was the result of a fraudulent transaction on her account. The lawsuit alleges that Martinez and other patients will continue to be at “heightened risk for financial fraud and identity theft for years to come.”

The lawsuit cited a study by Experian which found that the average total cost of medical identity theft is about $20,000 per incident and that a majority of victims of medical identity theft were forced to pay out-of-pocket costs for healthcare they did not receive in order to restore coverage.

Despite well-publicized litigation and frequent public announcements of data breaches by medical and technology companies, UConn Health opted to maintain an “insufficient and inadequate system to protect the PHI and PII of patients,” the lawsuit states.

The lawsuit also describes UConn’s approach to maintaining the privacy of patients’ personally identifiable information and health information as “lackadaisical, cavalier, reckless, or at the very least negligent.”

The lawsuit seeks at least $5 million in damages and an injunction directing UConn Health to implement improved security procedures and measures.

Suggested Articles

Civica Rx, the non-profit drug company formed by a collection of hospitals to help control generic drug supplies and prices, is putting down roots.

Two senators introduced this week bipartisan legislation to establish a third-party oversight committee to help monitor the implementation of the new EHR…

ONC is moving another step closer to implementing a framework designed to improve data sharing between health information networks.