A Florida patient has filed a class-action lawsuit for HIPAA violation against UF Health Central Florida (UFHCF) after a data breach exposed the personal information of more than 700,000 people.
According to a complaint to the U.S. District Court for the Middle District of Florida filed on Oct. 14, Chrystal Holmes, a Lake County resident, is suing The Villages Tri-County Medical Center, UF Health Central Florida and Leesburg Regional Medical Center Inc. for HIPAA violation after a May cyberattack exposed the data of 700,981 patients. According to a report to the U.S. Department of Health and Human Services’ Office of Civil Rights, hackers gained unauthorized access to UFHCF’s computer network around May 31, gaining sensitive patient information – including names, addresses, dates of birth, Social Security numbers, health insurance information, medical record numbers and patient account numbers.
On Thursday, a case was removed from the Circuit Court for Fifth Judicial Circuit for Lake County to the Middle District of Florida. The case was originally filed by a patient against UF Health Central Florida and its affiliates and concerns the theft of personally identifiable records in violation of HIPAA due to an electronic infiltration of the UF Health Central Florida computer systems.
The Health Insurance Portability and Accountability Act (HIPAA) permits medical facilities to collect information such as social security numbers, first and last names, birthdates, addresses, and other data known as personal health information (PHI) in order to facilitate both medical treatment and the billing process. However, the medical centers are placed under an obligation to protect this information from unauthorized use and from unauthorized access. These obligations include a proactive responsibility to protect the databases used to store this information from cyber infiltration.
The patient is suing for negligence, breach of contract relating to the defendants privacy policy, and breach of fiduciary duty. The plaintiff is represented by Morgan & Morgan, while the defendant is represented by Baker Hostetler.
The data breach also resulted in UFHCF’s IT systems going down for nearly a month, during which the health system was forced to switch to paper documentation. UFHCF noted it brought the electronic health record (EHR) back online June 25.
“Until notified of the breach,” Holmes and the other affected people in the proposed class “had no idea their PII and PHI had been compromised, and that they were, and continue to be, at significant risk of identity theft and various other forms of personal, social and financial harm,” the complaint added.
“The risk will remain for their respective lifetimes,” it continued.
