Jackson County Schneck Memorial Hospital (Schneck Medical Center) was a victim of a cyberattack in 2021. Its 2021 and 2022 disclosures about the breach and its lack of timely breach notification resulted in a potential class action lawsuit filed in 2022.
Its lack of appropriate and timely disclosures and information patients needed to protect themselves did not go unnoticed by the state’s attorney general.
On June 6, the state also sued Schneck, alleging violations of HIPAA, the Indiana Disclosure of Security Breach Act, and the Indiana Deceptive Consumer Sales Act.
The suit was filed the same day as an uncontested consent order was filed. Schneck has agreed to pay $250,000 and to also comply with the requirements of HIPAA and the two state statutes, as specifically detailed in the consent order.
Imagine if more state attorneys general enforced HIPAA via such suits. Would we see more entities complying with the Security Rule and the Breach Notification Rule? One can dream….