DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

U. Of Miami Health System sued over missing records, but is lawsuit a non-starter?

Posted on February 11, 2014 by Dissent

It seems like only yesterday we first learned of a breach involving the University of Miami Health System (UHealth) and an unnamed storage vendor. Oh, wait. It was.

Notification letters went out to patients on or about February 3, and a potential class action lawsuit was filed in federal court in Florida yesterday. Having skimmed the lawsuit, I confess I am somewhat perplexed by some of the claims, as they do not appear to have any support in any of the publicly available documents on the breach. As one example, the complaint alleges a breach involving UHealth’s “computer storage system,” but the breach reportedly involved paper records. As another example, the lead plaintiff, Joan Carsten, alleges (in Paragraph 19):

As a result, on a date known specifically to Defendant, an unauthorized person or persons, intentionally accessed Plaintiff’s and Class Members’ PII, and then intentionally misused the PII and intentionally disclosed the PII to third parties for profit, causing damage to Plaintiff and Class Members.

Where are they getting that “factual allegation” from? All U. Miami Health System has reported is that neither they nor their vendor can locate some boxes of records that contained bill vouchers. The vouchers included patient’s name, date of birth, Social Security numbers, physician name, facility, insurance company name, medical record number, visit number, procedure and diagnosis codes for the patient’s visit.

There is nothing in their February 3 letter to patients suggesting that the data has been misused or sold. To the contrary, they stated that they have no indication of any kind of misuse. And while Ms Carsten alleges that she became a victim of unauthorized purchases from her bank account, given all the security breaches we saw last year, how can she substantiate her claim that her fraudulent charges were linked to this particular breach – particularly when no banking or financial information was involved? Indeed, we have yet to be told when those boxes of records were last verified/inventoried at the storage vendors. Have they been missing for years or did they go missing shortly before UMHS requested them in June?

And why does the complaint claim that on a date “known specifically to Defendant,” when there’s been no suggestion by UMHS that they know when the records might have gone missing.

The complaint also alleges negligence and violation of the Fair Credit Reporting Act. With respect to the latter, the complaint will likely fail because of its circular reasoning, e.g., UMHS violated FRCA by failing to maintain reasonable security procedures. How do we know they failed to maintain reasonable procedures? Because they experienced a breach. (Para 52). That same type of circular argument was just rejected this week by a federal court in Ohio in a potential class action lawsuit against Nationwide Insurance over their data breach in 2012.

That UMHS failed to notify patients in what I would consider a reasonable timeframe is clear, and the complaint does raise some state-level statutory claims. But where is there any demonstration of harm clearly linked to this breach or – as Clapper held – any demonstration of impending harm clearly linked to this incident? Maybe having been a victim of fraudulent charges is enough to avoid a motion to dismiss, but eventually, I suspect this lawsuit will be dismissed.

Maybe plaintiffs shouldn’t rush to sue and wait to see what additional information comes out? Just a thought….

The above is not to suggest that HHS/OCR might have something to say about UHealth’s security safeguards and the delay in notification. But given how data breach lawsuits have gone in this country, I just don’t see this one as being likely to prevail. What do you think?

 

Category: Uncategorized

Post navigation

← Target’s “Second-Rate” Fix for Hacking Victims May Leave Customers Vulnerable
Supercell hack reveals DAU and ARPDAU, access to internal emails →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Nigerian National Sentenced To More Than Five Years For Hacking, Fraud, And Identity Theft Scheme
  • Data breach of patient info ends in firing of Miami hospital employee
  • Texas DOT investigates breach of crash report records, sends notification letters
  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • California county accused of using drones to spy on residents
  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.