Scott Waldman reports that Glens Falls Hospital has been sued over the patient record exposure breach caused by its business associate, Portal Healthcare Solutions. I had previously discussed this breach, here.
The lawsuit was filed as a potential class action lawsuit in State Supreme Court in Saratoga County yesterday on behalf of Dara Halliday and Teresa Green. It names the hospital, Portal, and Carpathia Hosting as defendants.
According to the complaint, the plaintiffs discovered the breach on March 7, when they googled their names and found links to their doctor’s reports on them that included their past and current medical treatment, medications, social history, physical examination, laboratory data, and future treatment plans. The files could be accessed, viewed, and printed or downloaded by anyone without restriction – a point that both the hospital and Portal Healthcare have both acknowledged. It is not clear from the complaint whether the plaintiffs notified the hospital on that date or if they ever notified the hospital, but the hospital’s subsequent letter to patients and statements to the press indicate that they first learned of the breach on March 14. A. K. Jay Jaiswal, Portal’s CEO, informs PHIprivacy.net that the hospital notified them on March 14, and they immediately secured the server.
The complaint alleges negligence, failure to timely notify patients, failure to reveal the true scope of the breach, breach of warranties, and breach of contract.
Of particular interest to me, according to the complaint, Glens Falls Hospital’s notification letter to patients dated April 3 stated that they were unable to determine whether the files had ever been accessed or downloaded because Portal’s “access records are unavailable.” In a statement sent today to PHIprivacy.net, Jaiswal states that on the evening of March 14, the hospital requested two days’ worth of FTP access logs, which Portal provided on March 15. The FTP access logs roll over, however, which may explain why the hospital claimed it was not able to determine whether files were accessed or not. Jaiswal states that forensic examiners subsequently made a two-day on-site visit and made copies of two servers to take back for further examination. Portal’s copies of the servers’ contents and the original servers were placed in a bank vault and sealed as evidence. Jaiswal stands by his previous statement to PHIprivacy.net that the actual window of exposure was March 5 – March 14, and not November – March. He tells PHIprivacy.net that in the absence of access logs, the hospital used the folder creation date as the earliest date:
It is my understanding that because documents posting to the in transit folder started in Nov 2012 hospital took the position that documents may have been exposed from that date. In reality the documents analyzed by hospital’s own forensic experts who looked at forensic META FILE of each document came to two conclusions – documents were created between Nov 2012 to Jan 2013; and accessed by hospital only. They were not able to identify any additional access information.
But if the two plaintiffs were allegedly able to access the files on March 7, where are the logs showing that access? The access log situation is something HHS may wish to consider in terms of any audit or investigation.
If Jaiswal is correct in his claims, it appears that patients seen between November 2 and March 14 may have had their doctor’s notes available for viewing or access, but only between March 5 – March 14. While that would still be distressing, it doesn’t seem quite as horrific as if the files had been exposed for a 4-month period. The hospital, however, maintains that the exposure window was between November and March. It should make for interesting discovery.
The complaint alleges that plaintiffs have suffered significant and irreparable harm, including anxiety and emotional distress, and they seek monetary damages for the loss of privacy, credit report monitoring, and identity theft monitoring. The Saratogian reports, however, that the hospital says it has already offered affected patients free credit monitoring and identity theft protection. Whether any claim for emotional distress and anxiety can survive a motion to dismiss in NYS is unclear to me.
For his part, Jaiswal says that this breach has been “an experience of the life time” and they moved quickly to ensure this type of problem never occurs again. “I wish we can un-ring the bell but I cannot so the measures we have put in place and improved ensures full protection,” he tells PHIprivacy.net.