Hospital Chain Sued Over HIPAA Data Breach


On Tuesday, a class action complaint was filed in the Southern District of Georgia against the St. Joseph/Candler Health System (SJC) and hospital chain. The class action pertains to individuals whose HIPAA protected health information was exposed and used by third parties due to alleged negligence by the SJC defendants.

The Health Insurance Portability and Accountability Act (HIPAA) has several provisions mandating the protection of specific information known as Personal Health Information (PHI), which allows a viewer to connect the medical treatment to a specific individual, including information such as names, dates of service, dates of birth, and other information.

As a part of this mandate, health care providers are required to secure this information and to take reasonably necessary process such as encryption, firewalls, and other technical steps.

According to the complaint, the SJC IT network was hacked and accessed originally in December 2020 and ultimately was held hostage by the hackers in June of this year. This hostage situation purportedly resulted in the system having to revert to paper records and physical runners to communicate data on an urgent basis in the hospital system.

This was allegedly exacerbated by a lack of active back up systems or other data retention protocols which could have alleviated the need for paper documentation while the main system was unavailable. Finally, the system did not notify affected patients until 2 months after the June breach, which deprived the class members of an opportunity to monitor their info for improper use, the complaint alleged.

The plaintiffs are suing for negligence, violation of the Georgia Fair Business Practices Act, breach of contract, breach of fiduciary duty and unjust enrichment. The plaintiff is represented by Hach Rose Schirripa & Cheverie.