Lawsuits Filed Against Insight Global, Methodist Hospital Employees, UHS-Delaware and UHS-Fuller

Insight Global Settles Class Action Data Breach Lawsuit

Insight Global LLC has made a decision to resolve a class action lawsuit associated with an April 2021 data breach that compromised the contact tracing information of over 76,000 residents of Pennsylvania.

Insight Global was designated the administrator of the contact tracing program of Pennsylvania at the time of the pandemic. Carrying out the contracted tasks needed Insight Global to gather a selection of sensitive data which includes names, phone numbers, email addresses, family size, sexual orientation, health information, indications of contact with COVID-19, and whether each person needed any support services.

A number of Insight Global staff made Google accounts to communicate data, such as spreadsheets and documents that contain contact tracing information. As soon as Insight Global discovered the unauthorized accounts, employees were instructed to quit using the accounts and be sure to secure the information. The problem with the use of unauthorized Google accounts was the sending of sensitive information to servers that were beyond Insight Global’s control and could possibly be viewed by unauthorized persons. Based on the data breach notice of Insight Global, the data was transmitted to personal Google accounts and through non-secure channels from September 2020 to April 2021. Insight Global stated it found the security problem on April 21, 2021.

A lawsuit was submitted on behalf of Lisa Chapman, one whose information was exposed, and likewise affected persons who had their sensitive data and personal health information (PHI) exposed and possibly stolen by unauthorized persons. The defendant of the lawsuit are Insight Global and the Pennsylvania Department of Health, though the Department of Health was eventually removed from the lawsuit.

The lawsuit alleged that Insight Global did not employ enough and reasonable safety measures to protect the PHI of consumers. The lawsuit additionally alleged that Insight Global knew that its staff was utilizing non-secured data communication and storage solutions since November 2020, yet did not do something to deal with the concern until April 2021. The lawsuit furthermore claimed Insight Global did not give prompt notifications concerning the data breach. When the notifications were provided, there was inadequate data. For example, the notifications didn’t say that unauthorized individuals accessed their information.

The lawsuit claimed the plaintiff and class members are facing a greater risk of identity theft and fraud because of the compromise of their personal data and PHI and that they still will bear out-of-pocket costs to keep themselves safe from identity theft and fraud.

Insight Global opted to negotiate the lawsuit without admitting any wrongdoing. As per the conditions of the settlement, class members can claim up to $250 as damages for out-of-pocket costs sustained as a result of the data breach, which consists of lost time at $20 an hour. They will also receive credit monitoring services for two years. Furthermore, they can claim for documented extraordinary losses up to $5,000.

Former Employees of Methodist Hospital Confess to Criminal HIPAA Violations

Five ex-employees of Methodist Hospital have confessed to criminal violations of HIPAA for viewing and sharing the data of patients to a third party to gain a profit. 41-year-old Roderick Harvey of Memphis contacted the former hospital employees and paid them to give him with the names and phone numbers of patients who were involved in motor vehicle accidents. Harvey then sold the information he collected to personal injury lawyers and chiropractors.

The HIPAA Privacy Rule forbids healthcare employees from

  • viewing patient information except if there’s a legitimate work reason to do so
  • sharing patient information to third parties except if there is a good reason for the sharing (i.e. treatment, billing, business transaction)
  • except if permission is acquired from the patient

Accessing and sharing patient data for monetary gain with no patient consent is a criminal offense.

From November 2017 to December 2020, 38-year-old Kirby Dandridge, 43-year-old Sylvia Taylor, 31-year-old Kara Thompson, 41-year-old Melanie Russell, and 26-year-old Adrianna Taber shared patient data with Harvey and so violated HIPAA. The ex-employees were fired because of their HIPAA violations, and together with Harvey, were charged by a federal grand jury last November 2022. Harvey committed a conspiracy and faced seven counts of stealing patient data with the intention to sell it for monetary gain. The ex-employees of Methodist Hospital were independently charged for breaking HIPAA.

Harvey confessed to the conspiracy charge last April 21, 2023. His sentencing will be on August 1, 2023, facing up to five years imprisonment, a penalty of around $250,000, and three years of supervised parole. Dandridge, Russell, Taber, Thompson, and Taylor each will be put in jail for a maximum of one year, pay $50,000 penalty, and have one year of supervised parole. They will face their sentence on five different dates from April 25, 2023 to June 21, 2023.

Incidents of Workplace Violence at UHS-Delaware and UHS-Fuller

UHS of Delaware Inc. and UHS of Fuller Inc. were determined to have subjected their Attleboro, MA-based Fuller Hospital workers to unacceptable risks due to workplace violence. Then, they destroyed proof and did not adhere to their legal discovery responsibilities.

UHS of Fuller Inc. and UHS of Delaware are under the holding company of Universal Health Services, which is a big behavioral healthcare services provider in the U.S. The Occupational Safety and Health Administration (OSHA) investigated Fuller Hospital in 2019 after receiving complaints from employees of UHS-Delaware and UHS-Fuller regarding inadequate safety measures against workplace violence. There were over 500 cases of hostility on hospital staff at Fuller Hospital in a period of 7 months in 2019 wherein employees were bitten, kicked, punched, slapped, and had their hair pulled out. A number of employees endured recurring concussions during those incidents.

In December 2019, OSHA mentioned UHS of Fuller Inc. and UHS of Delaware Inc. for allowing employees to suffer workplace violence. The companies disputed the citation and the Boston Regional Solicitor’s Office held a trial of the case over a period of two weeks in July and August 2022. At the trial, employees talked about the injuries they suffered and the hazardous working environment at the hospital. The employees stated that they were not given enough training and there were limited staffing levels. The defendants plead the trial decision to the Occupational Safety and Health Review Commission.

In January 2023, Review Commission Administrative Law Judge Carol A. Baumerich confirmed the serious citation, determined that the two companies managed the hospital as one employer, and decided that the planned abatement actions were achievable and would considerably minimize the employees’ risks to violence in the workplace. The offered measures consist of having more employees to handle behavioral health problems, making sure new employees get sufficient training, having skilled security specialists on all three work shifts, giving personal panic alerts to employees, and doing post-incident debriefings and inspections.

The two companies were likewise sanctioned for not complying with discovery responsibilities and ruining surveillance video clips of incidents of violence involving employees. The companies were directed to pay OHSA $20,175 in attorneys’ fees. In a different situation, UHS-Fuller and UHS-Delaware were directed to pay OSHA $30,515 in attorneys’ fees as a result of the inability to comply with an OSHA-given subpoena for the surveillance video clips.

About the Author

Elizabeth Hernandez
Elizabeth Hernandez is the editor of HIPAA News. Elizabeth is an experienced journalist who has worked in the healthcare sector for several years. Her expertise is not limited to general healthcare reporting but extends to specialized areas of healthcare compliance and HIPAA compliance. Elizabeth's knowledge in these areas has made her a reliable source for information on the complexities of healthcare regulations. Elizabeth's contribution to the field extends to helping readers understand the importance of patient privacy and secure handling of health information. Elizabeth holds a postgraduate degree in journalism. You can follow Elizabeth on twitter at