A proposed $2.25 million settlement with SuperCare Health reveals key lessons about health privacy compliance.
Lesson 1: If the Office for Civil Rights (OCR) is slow to respond to a large breach, an unhappy patient may file a lawsuit. When a large number of patients are affected by the same breach, the case becomes a class action with higher stakes. To settle, the plaintiffs’ lawyers can demand payment and corrective action that OCR might have required.
On March 28, 2022, California-based respiratory care provider SuperCare Health confirmed it had suffered a healthcare data breach the previous July. The breach exposed the protected health information (PHI) of more than 318,000 patients. Information exposed included names, addresses, health insurance information, medical record numbers, birth dates, patient account numbers, claim information, treatment information, and hospital or medical group information. Some Social Security numbers and driver’s license numbers were also exposed.
Less than three weeks later, on April 12, a lawsuit was filed in a California federal district court alleging that SuperCare’s “reckless” approach to cybersecurity had led to the exposure of personal health information for hundreds of thousands of patients.
Lesson 2: Although not a HIPAA lawsuit per se, HIPAA very much matters. The federal Health Insurance Portability and Accountability Act (HIPAA) does not provide individuals a right to sue in court. Enforcement is left to OCR instead. However, a lawsuit can allege negligence in protecting patient privacy, and lawyers will refer to HIPAA as a standard of care. If they can show that a healthcare organization failed to meet HIPAA standards, negligence is easier to prove.
In this case the plaintiffs alleged that SuperCare failed to follow security guidelines and standards, including those of HIPAA, the National Institute of Standards and Technology (NIST), the Federal Trade Commission (FTC), and various California laws.
Lesson 3: The size of the settlement is an incentive for plaintiffs’ lawyers to go after other healthcare organizations who may have been negligent. Although the individual patients whose privacy was breached don’t receive much money, the plaintiffs’ lawyers are well compensated.
In the SuperCare case, the proposed settlement agreement provides two tiers of monetary payments for patient “class members” in the lawsuit, ranging from $100 to $2,500. All eligible class members will also receive one year of credit monitoring, including up to $1 million in fraud insurance coverage. SuperCare also agreed to implement enhanced cybersecurity measures and provide more cybersecurity awareness training, both of which are already required under HIPAA and various privacy protection laws.
The lawyers are to receive a combined award of attorneys’ fees and expenses in an amount not to exceed 33% of the “Settlement Fund”, an amount not known until all class members are compensated and a final accounting is done.
Lesson 4: This is one piece of a long recovery from the original breach. Although the details are not yet public, an OCR investigation is underway because OCR protocol requires it to investigate all healthcare data breaches affecting 500 or more. There may be another payment and settlement agreement, and a corrective action plan with OCR. In addition to the investigations and lawsuits, SuperCare Health has lost good will and incurred expenses for investigations and public relations management.
Follow HIPAA Now and Avoid Costs Later
Prevention is easier and much less expensive than defending lawsuits, investigations, and managing the aftermath of a breach.
Do an annual Risk Analysis, use the Security Rule Checklist for your security risk assessment, and provide cybersecurity awareness training. Risk Management year round and a culture of compliance among staff will save time and strengthen your defenses against cyber incidents that result in lawsuits.