A federal court in Florida has been asked to approve a proposed settlement involving the University of Miami Health System. The proposed settlement would resolve a lawsuit stemming from their disclosure (pdf) earlier this year that thousands of patients’ billing vouchers stored with an off-site storage vendor were missing.
At the time of the breach notification, UM revealed that the breach, affecting patients at the Department of Otolaryngology, had been discovered six months earlier. The patient billing vouchers included name, date of birth, Social Security number, physician’s name, facility, insurance company name, medical record number, visit number, procedure and diagnostic codes.
The incident was subsequently added to HHS’s public breach tool as having occurred in June 2013, and affecting 13,074 patients. In actuality, the incident was discovered in June 2013, but when the loss actually occurred was never revealed.
The complaint (pdf), filed in February by Joan Carsten as a potential class action lawsuit, originally described the breach as what appeared to be a hack. In an amended complaint, however, the plaintiff alleged that an employee stole the missing records.
Carsten’s complaint and amended complaint alleged that she had suffered financial harm due to the breach because money was withdrawn from her banking account. No financial or banking information was included in the lost or missing records, however, so she might have had an uphill battle showing causation. The amended complaint cites the usual allegations of failure to adequately secure information, failure to timely notify those affected, risk of future harm, violations of Florida law, and violations of the Fair Credit Report Act. The complaint also alleges that U. Miami transferred patient records to the storage vendor without patients’ knowledge or consent.
As I wrote after reading the original complaint, I thought the lawsuit was a non-starter, and even the amended complaint strikes me as weak. I’m a bit surprised that U. Miami was willing to settle this as I think they would have prevailed, although perhaps the settlement may be far cheaper than protracted litigation.
Under the terms of the proposed settlement (pdf), the university would pay up to $100,000 to settle individuals’ claims, up to $90,000 for attorneys’ fees, and an incentive award of $1,500 to Carsten for her services as class representative. There are also non-monetary terms that include conducting risk assessments and remediating problems if they are identified and ensuring vendors have adequate security controls in place and in their contracts – in other words, pretty much what HIPAA requires anyway. U. Miami does not admit any wrongdoing or liability as part of the settlement.
The incident’s entry on HHS’s public breach tool is still open, so U. Miami may not be done with this breach even if the court approves the settlement.
h/t, Law360, whose headline alerted me to the settlement.