Florida health system hit with proposed class-action lawsuit over data breach

A Florida resident has brought a lawsuit against UF Health Central Florida after a data breach potentially exposed the information of more than 700,000 people.

According to the complaint, which was removed to the U.S. District Court for the Middle District of Florida this past Thursday, Chrystal Holmes is accusing the system of failing to properly secure and safeguard personally identifiable information.  

“Despite the prevalence of public announcements of data breach and data security compromises, UFHCF failed to take appropriate steps to protect the PII and PHI of [the] plaintiff and the proposed class from being compromised,” read court documents.  

Attempts to reach UFHCF for comment were not successful.

WHY IT MATTERS  

As reported to the U.S. Department of Health and Human Services’ Office of Civil Rights, UFHCF experienced a hacking incident earlier this year leading to the potential exposure of 700,981 individuals’ data.

Between May 29 and May 31, bad actors gained unauthorized access to UFHCF’s computer network.  

During that period, said a notice posted to the UFHCF website at the end of July, patient information – including names, addresses, dates of birth, Social Security numbers, health insurance information, medical record numbers and patient account numbers, as well as limited treatment information used for UF Health’s business operations – may have been accessible.  

“Until notified of the breach,” Holmes and the other affected people in the proposed class “had no idea their PII and PHI had been compromised, and that they were, and continue to be, at significant risk of identity theft and various other forms of personal, social and financial harm,” read the complaint. 

“The risk will remain for their respective lifetimes,” it continued.  

According to court documents, the fact that the incident took place suggests that UFHCF had not adhered to rigorous security protocols, including those recommended by the U.S. government.  

“The occurrence of the cybersecurity event indicates that defendants failed to adequately implement … measures to prevent ransomware attacks,” said the complaint.  

Holmes, through her lawyers, argues that the information compromised in the cybersecurity event is “significantly more valuable” than credit card information.   

Instead, personal information such as name, address, date of birth and Social Security number “is impossible to ‘close’ and difficult, if not impossible, to change,” read court documents.  

Holmes is accusing UFHCF of negligence, breach of contract and breach of fiduciary duty.  

“Plaintiff and class members have a continuing interest in ensuring that their information is and remains safe, and they should be entitled to injunctive and other equitable relief,” argued the complaint.  

THE LARGER TREND  

Many of the major cybersecurity incidents over the past year have been followed by lawsuits accusing healthcare organizations of failing to adequately protect patient information.  

Earlier this year, Scripps Health in San Diego faced several complaints after a ransomware incident led to a massive network shutdown.  

And in September, a cancer patient sued UC San Diego Health over a security breach that potentially exposed the private information of 495,949 patients.  

ON THE RECORD  

“The ramifications of UFHCF’s failure to keep secure UFHCF’s current and former patients’ PII and PHI are long lasting and severe,” said the complaint. “Once PII and PHI is stolen, particularly Social Security numbers, fraudulent use of that information and damage to victims may continue for years.”

Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Email: [email protected]
Healthcare IT News is a HIMSS Media publication.