OSHA Releases Citations of Florida and Wisconsin Hospitals’ Health and Safety Breakdowns and Johns Hopkins Fined Over MOVEit Data Breach

The Occupational Safety and Health Administration (OSHA) has given details on the health and safety failures of two hospitals that resulted in about $24,000 in penalties.

Florida Behavioral Health Facility Penalized for Inability to Keep Workers Safe from Workplace Violence

OSHA investigated UHS of Delaware Inc. – Wekiva Springs Center LLC, also known as Wekiva Springs Hospital located in Jacksonville, Florida, due to an escalating number of occurrences relating to workplace violence.

Wekiva Springs offers} treatment for people with behavioral health and substance abuse problems. OSHA went to the facility last November 2022 after getting reports of several cases where workers were sexually assaulted, bitten, kicked, punched, and scratched. A number of workers had sustained concussions, wounds, and broken bones, and had frequent, and often strong, occurrences of workplace violence.

As per OSHA, in 2022, 182 reports of alleged workplace violence at the hospital were documented. In a period of 6 months, 70% of workplace violence incidents needed police action. Some of the incidents reported involved:

  • a patient kicking a nurse in the stomach
  • a patient throwing a chair at hospital staff members
  • a mental health associate getting a concussion after getting the head smashed repeatedly against an aircon unit by a patient who does not want to be brought to the room

OSHA learned that employees were exposed to physical hazards and attacks while doing regular daily work of giving care. Therefore, a citation was made for a critical violation for not making the workplace free from known health and safety problems that will probably lead to severe physical hurt or death. OSHA enforced a $15,625 penalty and made various suggestions on how to enhance security and keep employees safe from workplace violence, for example, the creation of a workplace violence plan, making sure doctors were available during the night to order prescription drugs to violent patients, and giving panic alarms to workers.

OSHA stated UHS of Delaware has a substantial record of OSHA inspections and violations associated with workplace violence because of workers not being given sufficient protection. At the beginning of this year, a government administrative law judge confirmed that UHS of Delaware subjected staff to workplace violence in 2019 by giving insufficient protections, and UHS of Delaware was given approval for ruining monitoring videos exhibiting workplace violence.

OSHA Penalizes Miramont Behavioral Health for Documentation Failures

Miramont Behavioral Health based in Middleton, WI provides inpatient and outpatient behavioral health care. OSHA fined the healthcare provider $8,370 over an incident in which a nurse was spiked with a needle stick by accident.

The incident happened last December 2022 and didn’t cause any work time loss or patient safety issues; nevertheless, OSHA’s assessment discovered safety and health problems causing four citations. Three were serious and associated with safety and health hazards. The citations involved an inability to keep a work injury record, an inability to correctly document the needle stick occurrence in its injury record, and an inability to add particular work in its exposure control plan.

All citations were completely abated in 24 hours and were generally associated with documentation problems. A representative for Miramont Behavioral Health stated that its documentation guidelines have already been modified and additional training is given to workers to make sure complete compliance down the road. The citations were remedied with an informal agreement with OSHA in June 2023.

Multiple Lawsuits Filed Against Johns Hopkins Over MOVEit Data Breach

Johns Hopkins Health System and Johns Hopkins University are facing two lawsuits recently filed in the U.S. District Court for the District of Maryland for allegedly failing to appropriately protect and safeguard the PHI of patients, which resulted in the stealing of their information by the Clop ransomware group.

The Clop ransomware group exploited a zero-day vulnerability in the MOVEit Transfer file transfer solution of the Progress Software. The ransomware attacks happened at the end of May 2023 and impacted over 150 companies. The personal data and PHI of millions of people were stolen. Johns Hopkins has not yet confirmed how many patients, employees, and students were impacted since the investigation is still ongoing, but it has mentioned the theft of names, addresses, birth dates, and Social Security numbers during the attack.

The claims of the two lawsuits are similar alleging a failure to carry out proper security measures to safeguard protected health information (PHI) and personally identifiable information (PII). One lawsuit, which was filed on July 7 with Pamela Hunter as plaintiff, alleges the attackers stole the sensitive information of tens and perhaps hundreds of thousands of people because of the defendants deliberately, willfully, recklessly, or negligently not being able to take and carry out sufficient and appropriate measures to make sure the protection of Plaintiff’s and Class Members’ PHI/PII, and not following applicable, necessary and proper practices, guidelines, and procedures concerning the encryption of information, including that for internal use.

The lawsuit additionally claims the defendants failed to fulfill their obligations as per the HIPAA Privacy and Security Rules concerning the security of PHI, and the HIPAA Breach Notification Rule by unnecessarily delaying the issuance of breach notification letters. The lawsuit claims negligence, unjust enrichment, breach of the implied covenant of good faith and fair dealing, and breach of implied contract. Another lawsuit that was filed on July 10 with Ayomiposi Asaolu and Maria Gregory as plaintiffs has the same allegations concerning the inability to secure PII/PHI. The lawsuit claims breach of fiduciary duty, breach of implied contract, negligence, negligence per se, breach of confidence, unjust enrichment, and intrusion upon seclusion/invasion of privacy.

The two lawsuits claim the plaintiffs and class members were hurt due to the data breach and assert an injury was sustained in the form of lost money and time while guarding against identity theft and fraudulence, reduction of the value of their PHI/PII, stress over the effect of the data breach, and impending and considerable risk of identity theft and fraudulence as a result of theft of their sensitive information. The lawsuits want injunctive relief and damages and recommend a listing of measures that must be enforced to avoid the same data breaches later on.

The lawsuits will probably hinge on whether or not the plaintiffs are confirmed to have sustained a tangible injury resulting from the data breach, and if any such harm could be related to this particular data breach. Courtney L. Weiner and Laukaitis Law LLC represent Pamela Hunter and the class while Tycko & Zavareei LLP and Edelson Lechtzin LLP represent Maria Gregory and Ayomiposi Asaolu.

About the Author

Elizabeth Hernandez
Elizabeth Hernandez is the editor of HIPAA News. Elizabeth is an experienced journalist who has worked in the healthcare sector for several years. Her expertise is not limited to general healthcare reporting but extends to specialized areas of healthcare compliance and HIPAA compliance. Elizabeth's knowledge in these areas has made her a reliable source for information on the complexities of healthcare regulations. Elizabeth's contribution to the field extends to helping readers understand the importance of patient privacy and secure handling of health information. Elizabeth holds a postgraduate degree in journalism. You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone