A class-action lawsuit was filed versus San Juan Regional Medical Center in Farmington, New Mexico in relation to a reported data breach last June 2021. According to the breach investigation, there was an unauthorized individual who obtained access to its system from September 7, 2020, to September 8, 2020 and copied files that have sensitive patient data in them.
San Juan Regional Medical Center initially sent a data breach report to the HHS’ Office for Civil Rights stating that no less than 500 people were affected. In cases where the count of people affected by a security breach is not known, the breached entity could send the breach reports to OCR and provide updates later concerning the breach when there’s additional information. The breach investigation, later on, confirmed the potential theft of protected health information (PHI) of 68,792 individuals because of the attack.
Even though San Juan Regional Medical Center confirmed the data theft, the hospital didn’t get any evidence that suggests the improper use of any patient’s PHI, and folks whose Social Security numbers were exposed got no-cost credit monitoring and identity theft protection services for twelve months.
The lawsuit was filed on October 7, 2021, on behalf of Jeremy Henderson plus all San Juan Regional Medical Center patients who were affected by the data breach. The lawsuit alleges that San Juan Regional Medical Center was at fault in managing patient data, thereby exposing the sensitive information that resulted in data theft by hackers. The lawsuit furthermore claims the hospital didn’t implement proper safety procedures to keep patient data secure. This is a violation of the Health Insurance Portability and Accountability (HIPAA) Act.
The legal action moreover raises the problem of the period of time that San Juan Regional Medical Center took to distribute notification letters. Henderson explained he was informed regarding the breach only on September 13, 2021, which is more than a year after his PHI was stolen.
Based on the lawsuit, the plaintiff, as well as the class members, are facing a substantial risk of identity theft and fraud because their PHI was stolen. They needed to expend some time and effort to monitor their accounts and statements and set up some other procedures to keep themselves safe against identity theft and fraud. It’s not enough to have 12 months of credit monitoring and identity theft protection services. The legislation likes unspecified settlement.