DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

University of Miami reaches settlement in patient data breach lawsuit

Posted on August 11, 2014 by Dissent

A federal court in Florida has been asked to approve a proposed settlement involving the University of Miami Health System. The proposed settlement would resolve a lawsuit stemming from their disclosure (pdf) earlier this year that thousands of patients’ billing vouchers stored with an off-site storage vendor were missing.

At the time of the breach notification, UM revealed that the breach, affecting patients at the Department of Otolaryngology, had been discovered six months earlier. The patient billing vouchers included name, date of birth, Social Security number, physician’s name, facility, insurance company name, medical record number, visit number, procedure and diagnostic codes.

The incident was subsequently added to HHS’s public breach tool as having occurred in June 2013, and affecting 13,074 patients. In actuality, the incident was discovered in June 2013, but when the loss actually occurred was never revealed.

The complaint (pdf), filed in February by Joan Carsten as a potential class action lawsuit, originally described the breach as what appeared to be a hack. In an amended complaint, however, the plaintiff alleged that an employee stole the missing records.

Carsten’s complaint and amended complaint alleged that she had suffered financial harm due to the breach because money was withdrawn from her banking account. No financial or banking information was included in the lost or missing records, however, so she might have had an uphill battle showing causation. The amended complaint cites the usual allegations of failure to adequately secure information, failure to timely notify those affected, risk of future harm, violations of Florida law, and violations of the Fair Credit Report Act. The complaint also alleges that U. Miami transferred patient records to the storage vendor without patients’ knowledge or consent.

As I wrote after reading the original complaint, I thought the lawsuit was a non-starter, and even the amended complaint strikes me as weak. I’m a bit surprised that U. Miami was willing to settle this as I think they would have prevailed, although perhaps the settlement may be far cheaper than protracted litigation.

Under the terms of the proposed settlement (pdf), the university would pay up to $100,000 to settle individuals’ claims, up to $90,000 for attorneys’ fees, and an incentive award of $1,500 to Carsten for her services as class representative. There are also non-monetary terms that include conducting risk assessments and remediating problems if they are identified and ensuring vendors have adequate security controls in place and in their contracts – in other words, pretty much what HIPAA requires anyway. U. Miami does not admit any wrongdoing or liability as part of the settlement.

The incident’s entry on HHS’s public breach tool is still open, so U. Miami may not be done with this breach even if the court approves the settlement.

h/t, Law360, whose headline alerted me to the settlement.

No related posts.

Category: Uncategorized

Post navigation

← Does Cybovar impact the security of your credit report?
Medical information requests of employees can be tricky →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Mississippi Law Firm Sues Cyber Insurer Over Coverage for Scam
  • Ukrainian Hackers Wipe 47TB of Data from Top Russian Military Drone Supplier
  • Computer Whiz Gets Suspended Sentence over 2019 Revenue Agency Data Breach
  • Ministry of Defence data breach timeline
  • Hackers Can Remotely Trigger the Brakes on American Trains and the Problem Has Been Ignored for Years
  • Ransomware in Italy, strike at the Diskstation gang: hacker group leader arrested in Milan
  • A year after cyber attack, Columbus could invest $23M in cybersecurity upgrades
  • Gravity Forms Breach Hits 1M WordPress Sites
  • Stormous claims to have protected health info on 600,000 patients of North Country Healthcare. The patient data appears fake. (2)
  • Back from the Brink: District Court Clears Air Regarding Individualized Damages Assessment in Data Breach Cases

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The EU’s Plan To Ban Private Messaging Could Have a Global Impact (Plus: What To Do About It)
  • A Balancing Act: Privacy Issues And Responding to A Federal Subpoena Investigating Transgender Care
  • Here’s What a Reproductive Police State Looks Like
  • Meta investors, Zuckerberg to square off at $8 billion trial over alleged privacy violations
  • Australian law is now clearer about clinicians’ discretion to tell our patients’ relatives about their genetic risk
  • The ICO’s AI and biometrics strategy
  • Trump Border Czar Boasts ICE Can ‘Briefly Detain’ People Based On ‘Physical Appearance’

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.