Getty Images/iStockphoto

Lawsuits Filed Against Health Quest, Tidelands After Data Breach Reports

In the past week, both Health Quest and Tidelands have been hit with lawsuits from patients impacted by two data breach incidents caused by separate ransomware and phishing attacks.

Health Quest and Tidelands Health are both facing lawsuits after the providers reported potential data breaches. Health Quest recently added more patients to the tally of victims impacted by a 2018 phishing attack, while Tidelands fell victim to a ransomware attack in December.

In May 2019, Health Quest reported several employees fell victim to phishing attacks nearly a year earlier in July 2018. The attack was detected soon after the initial system breach and the accounts were secured. The investigation concluded in April 2019, and official determined patient data was contained in the impacted email accounts.

Patients who visited Health Quest between January 2018 and June 2018 were included in the initial breach tally. The notification did not explain why officials delayed notifying patients until well-beyond the HIPAA-mandated 60 days.

In January 2019, Health Quest began notifying another round of patients that their data was also breached during the 2018 phishing attack. In total, more than 28,000 patients were impacted.

The second round of notifications prompted a Poughkeepsie patient, Leah Wallace, to file a class-action lawsuit in federal court against Health Quest and Nuvance Health, for which Health Quest is now part, according to local news outlet, Poughkeepsie Journal.

The lawsuit argues the provider failed to exercise reasonable care in securing and safeguarding their patients’ sensitive personal data.” The breach exposed names, dates of birth, Social Security numbers, driver’s licenses, and financial data.

As a result of those failures, the suit argues that hackers were able to steal patients’ private information. Thus, patients are put at immediate, serious, and ongoing risks, as well as increased expenses that stem from individuals’ efforts to protect and monitor their credit after the breach.

Further, the lawsuit calls Health Quest’s delay in notifying patients as “inexplicable,” and the provider had obligations created by HIPAA, industry standards, common law and representations made to class members, to keep class members' private information confidential and to protect it from unauthorized access and disclosure."

"Plaintiff and other class members have suffered actual injury and at risk of further imminent and impending injury arising from the substantially increased risk of future fraud, identity theft, and misuse posed by the private information being stolen," according to the lawsuit.

The Department of Health and Human Services is currently investigating the incident.

For South Carolina-based Tidelands Health, the recently filed lawsuit stems from a December ransomware attack. The provider was forced into EHR downtime procedures after a reported malware attack impacted some of its computer network, which were shut down as a result.

Patient care continued throughout the attack, but some appointments were rescheduled as some of the IT network remained offline or operated under limited function during the recovery period.

Last week, patients impacted by the attack filed a class-action lawsuit in federal court to hold the hospital accountable for the attack and the treatment of its patients, according to local news outlet ABC15 News.

The lawsuit argued that ransomware disrupted care operations, while disclosing highly sensitive patient medical records of thousands of patients that were lost during the attack. The potentially compromised data included names, health insurance information, Social Security numbers, and dates of birth.

As a result, impacted patients are at risk for fraud and identity theft.

Further, one patient named in the suit claims that she was turned away for her scheduled nuclear stress test, which was essential for her care as she suffered two strokes in the past year. The patient claims she was left in the dark after the attack and only learned the system was back online from someone who did not work at the hospital.

Another patient claimed that she was repeatedly given food items she could not eat, as a result of the clinician being unable to access the patient’s medical records.

The lawsuit also claims the provider failed to protect patient data and argues that Tidelands is not adhering to HIPAA as it still has not been reported to HHS. However, under HIPAA, providers are given 60 days to report. Patients are seeking monetary damages and free credit monitoring for three years.

In the last few months, several other providers have been hit with similar lawsuits stemming from potential data breaches or security incidents. In the past, these cases have seen mixed results. Some covered entities have seen cases dismissed, while others, such as the most recent case, Premera Health, have reached settlements reaching several millions of dollars.

Next Steps

Dig Deeper on Health data access & privacy