Last year Forefront Dermatology experienced one of the largest healthcare data breaches of 2021 affecting 2.4 million patients. This year, it’s paying one of the largest class action settlements for a lawsuit alleging negligence in protecting patient privacy. Forefront Dermatology is based in Wisconsin and has locations in 21 states and the District of Columbia.
While $3.75 million is a huge expense, the total cost of this breach is more. As we have noted before, healthcare data breaches are costly, beginning the first day it happens and lasting for years. There are investigation costs, legal fees, crisis management, public relations and communications costs, and new security controls and workforce training to prevent a similar incident in the future.
Last year’s cyber attack happened between May 28 and June 4, 2021 when an unauthorized party entered Forefront Dermatology’s IT network. The attacker obtained access to files containing names, birth dates, patient account numbers, addresses, dates of service, provider names, medical treatment information, and medical record numbers.
Lax Security may Amount to Negligence
The class action lawsuit that followed claimed that affected patients and employees “were harmed in the form of the loss of the benefit of their bargain, out-of-pocket expenses, loss of privacy, and loss of the value of their time reasonably incurred to remedy or to mitigate the effects of the attack.”
The lawsuit alleged that Forefront was negligent in securing patients’ personally identifiable information (PII) and exposed them to a lifetime risk of identity theft and fraud:
“Forefront’s failures to ensure the adequacy of its IT networks and systems, and that class members’ sensitive PII was secured and protected, fell far short of its obligations to Plaintiff and class members’ and their reasonable expectations for data privacy, jeopardized the security of Plaintiff’s and class members’ PII, and put Plaintiff and class members at serious risk of fraud and identity theft.”
Although a private lawsuit like this is not a HIPAA case per se, since HIPAA does not provide individuals a right to sue, the standards of care for protecting “PII” and “protected health information or PHI” are essentially the same.
Although Forefront Dermatology did not admit any wrongdoing, it agreed to settle the case and it also has implemented new security measures to better protect patient information. Class members in the lawsuit are eligible to receive two years of credit monitoring and up to $10,000 in reimbursement for documented losses. They may also submit claims for up to five hours of lost time, at a rate of $25 per hour.
HIPAA Compliance is a Defense against Negligence Claim
Full HIPAA compliance requires an annual risk analysis, a security risk assessment, and a follow up risk management plan throughout the year. It’s not complicated or expensive. It simply needs to be a priority. It’s the best defense against cyber attacks, but it also helps defend private lawsuits alleging inadequate security. By taking simple steps today, you could do more to protect patient privacy and save huge expenses and headaches later.