A four year legal battle between victims of identity theft and a former employee at the Flowers Hospital of Dothan, Alabama, is approaching its end. The class action lawsuit was filed against the employee after the employee was discovered with paper records containing the protected health information (PHI) belonging to over a thousand patients of the clinic. This case is unusual, as most class action lawsuits that are filed due to the exposure or theft of PHI involve some sort of hacking event or cybersecurity incident, while in this case the data was stolen by an insider in the organisation.
The data breach occurred in 2014, when Kamarian D. Millender stole patient information from the hospital’s laboratory. The stolen information included names, addresses, dates of birth, Social Security numbers, and health plan policy numbers. With the information, Millender filed fraudulent federal income tax returns between June 2013 and February 2014. The breach was discovered in 2014, and the hospital sent breach notification letters to all affected patients in April, in accordance with HIPAA’s Breach Notification Rules.
Millender was prosecuted for identity theft and fraud. The former employee plead guilty, and served a two year prison sentence for his crimes in December 2014.
In May 2014, the patients who had been affected by the breach filed a punitive class action lawsuit in federal court. In the lawsuit, they referenced a violation of the Fair Credit Reporting Act. Furthermore, they claimed that between June 2013 and December 2014, paper records were left unprotected and unguarded at the hospital were at risk of being appropriated and used for malicious purposes. By not protecting their PHI in an adequate manner, they were put at heightened risk of identity theft by Flowers Hospital.
Two months after the lawsuit was filed, the Flowers Hospital attempted to have the lawsuit dismissed by U.S District Judge W. Keith Watkins. They claimed that it was impossible to connect the theft of the data to financial losses for the victims, and that tax returns had not been lost, but merely delayed.
In this case, the plaintiffs had not claimed they face an increased risk of suffering financial harm as a result of the data breach. They stated that those who had been victims of data theft had suffered “concrete economic loss of their tax refunds.” They also claim they can accurately trace the losses back to the hospital, as the employee confessed to stealing their data and using the information to file fraudulent tax returns.
Although the judge dismissed the claim for the invasion of privacy of the patients, the whole case was not dismissed as losses had been suffered by the victims. Judge Watkins said: “Any motion to dismiss filed in response to plaintiffs’ amended complaint, and any response in opposition thereto, shall fully set forth any arguments in support of or in opposition to such motion, and shall not simply renew or incorporate arguments made in previous motions and responses thereto”.
In 2017, the lawsuit was eventually awarded a class action status.
Now, four years after the initial case was filed, the plaintiffs and the defendants have decided to proceed with settling the case. The hospital has offered a fund of up to $150,000 to cover out-of-pocket expenses incurred by the 1,208 victims of the breach. The settlement would provide each class member with up to $250 each, with a cap of $5,000 per person in certain circumstances. No punitive damages were awarded.
For the victims of the data theft to be able to receive the compensation, they would need to submit valid claims. A valid claim would require a breach victim to prove that they purchased credit monitoring or identity theft protection services in response to being notified about the breach.
Additionally, breach victims would be allowed to claim money for the time they spent arranging those services, and can receive up to four hours lost in wages. They are further able to claim money back for the cost of obtaining credit reports, and any un-reimbursed interest as a result of a delayed tax refund as a result of there being a fraudulent tax return filed between June 2013 and the claims deadline.
In the event that valid claims are received, and the total claims amount exceeds the allocated $150,000, all claims would be reduced, pro rata, so that the total claims value would not exceed $150,000.