CentroMed, Allwell Behavioral Health and Kaiser Faced Legal Actions

Two Class Action Lawsuits Filed Against CentroMed Over 350,000-Record Data Breach

El Centro Del Barrio, doing business as CentroMed in San Antonio, TX, is dealing with two class action lawsuits because of a cyberattack in June 2023 wherein hackers acquired access to 350,000 patients’ personal data and protected health information (PHI).

CentroMed detected the cyberattack on June 12, 2023. Based on the forensic investigation, unauthorized access to IT network happened first on June 9, 2023. The data accessed during the cyberattack contained names, addresses, birth dates, financial account details, Social Security numbers, health record numbers, medical insurance plan member IDs, and claims details. The impacted persons were informed via mail on August 11, 2023.

Jasmine Grace and Dawn Leal, patients of CentroMed, have individually filed a lawsuit against CentroMed for the impermissible disclosure of their personal data and assert CentroMed was at fault for not appropriately securing and safeguarding their personally identifiable information, which is currently in the possession of threat actors.

The two state they are confronted with an impending, continuous, and considerable risk of identity theft and fraud and have needed to spend a lot of time and cash into safeguarding themselves against the misuse of their personal data. The lawsuits also stated concerns about the delay in CentroMed’s issuance of breach notification letters to patients. Although CentroMed complied with the time frame permitted by the .HIPAA Breach Notification Rule, it took two months to send out the notifications.

The lawsuits assert the defendant committed a HIPAA violation by not adequately protecting their information and alleging negligence, unjust enrichment, and breach of fiduciary duty. Attorney Samantha Holbrook filed the lawsuit on behalf of Jasmine Grace in the District Court in San Antonio seeking $1 million in damages. Attorney Joe Kendall filed the lawsuit on behalf of Dawn Leal in San Antonio federal court seeking $5 million in damages.

Allwell Behavioral Health to Pay $650,000 to Resolve Data Breach Class Action

Allwell Behavioral Health has offered to settle a class action lawsuit by paying $650,000. The victims of a data breach in March 2022 filed the lawsuit. The incident is known to have impacted 29,972 patients.

Allwell Behavioral Health detected the breach on March 5, 2022, and discovered that unauthorized persons accessed sensitive data on March 3, 2022. The breached information contained names, birth dates, Social Security numbers, telephone numbers, treatment activity, medical provider, treatment date, treatment place, and payer details. The lawsuit claimed that Allwell Behavioral Health failed to sufficiently protect patient information.

Allwell Behavioral Health did not admit to the wrongdoing; but, opted to resolve the lawsuit to avoid more legal expenditures and to steer clear of the uncertainty of trial. According to the conditions of the settlement, class members are eligible to get a $50 payment, which can increase according to the number of claimants. Claims of around $4,000 may be submitted to protect unusual, unreimbursed financial deficits, which could consist of around 5 hours of lost time at $25 per hour.

Class members can decline to or exclude themselves from submitting a claim up to September 11, 2023. Those interested may submit claims up to October 11, 2023. By October 2, 2023, if they didn’t get a Notice ID, the final fairness hearing is booked on November 9, 2023.

Kaiser Pays $49 Million to Resolve Improper Disposal Investigation

California Attorney General Rob Bonta made an announcement that a $49 million settlement is reached with Kaiser Foundation Hospitals and Kaiser Foundation Health Plan Foundation Inc. to deal with allegations of improper disposal of dangerous waste materials, medical waste materials, and PHI.

Kaiser based in Oakland, CA is the biggest healthcare company in California having over 700 healthcare centers in the state, helping over 8.8 million individuals. Six district attorneys from Alameda, San Francisco, San Bernardino, San Mateo, San Joaquin, and Yolo counties started an investigation into the illegal disposal of hazardous items. Undercover personnel from the offices of the district attorneys’ examined dumpsters at 16 Kaiser centers. The dumpsters weren’t secured and the contents were meant for removal to landfill sites.

The inspectors discovered countless items of dangerous and medical waste, such as aerosols, sanitizers, batteries, cleansers, medical tubing, syringes that contain body liquids, drugs, and electronic wastes. The dumpsters likewise had over 10,000 paper documents with the PHI of 7,700 patients. The California Department of Justice afterwards became part of the investigation and extended it to include other Kaiser facilities in the state. Kaiser was purported to have committed multiple violations of the HIPAA, the Confidentiality of Medical Information Act, California’s Hazardous Waste Control Law, Customer Records Law, Medical Waste Management Act, and Unfair Competition Law.

Because of the investigation, Kaiser involved a third-party expert to perform over 1,100 trash audits at its services and its operating solutions were updated to make sure of appropriate garbage disposal throughout its services in California. The settlement includes $4,905,000 for supplemental environmental projects, $4,832,000 in attorneys’ fees and charges, and $37,513,000 in civil penalties. Another $1.75 million in civil monetary penalties should be paid in case Kaiser has not put in a further $3.5 million in its Californian centers to give better environmental compliance actions.

Kaiser likewise needed to keep a third-party auditor to carry out over 520 trash compactor audits in its California centers to ensure dangerous things and PHI aren’t being discarded in the usual trash, and about 40 programmatic field audits should be performed every year for the next 5 years to gauge compliance with its guidelines addressing dangerous waste, clinical waste, and PHI.

About Christine Garcia 1310 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA