DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

U. Of Miami Health System sued over missing records, but is lawsuit a non-starter?

Posted on February 11, 2014 by Dissent

It seems like only yesterday we first learned of a breach involving the University of Miami Health System (UHealth) and an unnamed storage vendor. Oh, wait. It was.

Notification letters went out to patients on or about February 3, and a potential class action lawsuit was filed in federal court in Florida yesterday. Having skimmed the lawsuit, I confess I am somewhat perplexed by some of the claims, as they do not appear to have any support in any of the publicly available documents on the breach. As one example, the complaint alleges a breach involving UHealth’s “computer storage system,” but the breach reportedly involved paper records. As another example, the lead plaintiff, Joan Carsten, alleges (in Paragraph 19):

As a result, on a date known specifically to Defendant, an unauthorized person or persons, intentionally accessed Plaintiff’s and Class Members’ PII, and then intentionally misused the PII and intentionally disclosed the PII to third parties for profit, causing damage to Plaintiff and Class Members.

Where are they getting that “factual allegation” from? All U. Miami Health System has reported is that neither they nor their vendor can locate some boxes of records that contained bill vouchers. The vouchers included patient’s name, date of birth, Social Security numbers, physician name, facility, insurance company name, medical record number, visit number, procedure and diagnosis codes for the patient’s visit.

There is nothing in their February 3 letter to patients suggesting that the data has been misused or sold. To the contrary, they stated that they have no indication of any kind of misuse. And while Ms Carsten alleges that she became a victim of unauthorized purchases from her bank account, given all the security breaches we saw last year, how can she substantiate her claim that her fraudulent charges were linked to this particular breach – particularly when no banking or financial information was involved? Indeed, we have yet to be told when those boxes of records were last verified/inventoried at the storage vendors. Have they been missing for years or did they go missing shortly before UMHS requested them in June?

And why does the complaint claim that on a date “known specifically to Defendant,” when there’s been no suggestion by UMHS that they know when the records might have gone missing.

The complaint also alleges negligence and violation of the Fair Credit Reporting Act. With respect to the latter, the complaint will likely fail because of its circular reasoning, e.g., UMHS violated FRCA by failing to maintain reasonable security procedures. How do we know they failed to maintain reasonable procedures? Because they experienced a breach. (Para 52). That same type of circular argument was just rejected this week by a federal court in Ohio in a potential class action lawsuit against Nationwide Insurance over their data breach in 2012.

That UMHS failed to notify patients in what I would consider a reasonable timeframe is clear, and the complaint does raise some state-level statutory claims. But where is there any demonstration of harm clearly linked to this breach or – as Clapper held – any demonstration of impending harm clearly linked to this incident? Maybe having been a victim of fraudulent charges is enough to avoid a motion to dismiss, but eventually, I suspect this lawsuit will be dismissed.

Maybe plaintiffs shouldn’t rush to sue and wait to see what additional information comes out? Just a thought….

The above is not to suggest that HHS/OCR might have something to say about UHealth’s security safeguards and the delay in notification. But given how data breach lawsuits have gone in this country, I just don’t see this one as being likely to prevail. What do you think?

 

No related posts.

Category: Uncategorized

Post navigation

← Target’s “Second-Rate” Fix for Hacking Victims May Leave Customers Vulnerable
Supercell hack reveals DAU and ARPDAU, access to internal emails →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Disgruntled IT Worker Jailed for Cyber Attack, Huddersfield
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.