Recent Lawsuits Filed Related to Healthcare and HIPAA Violations

Employer Pays $15,000 Damages for Firing a COVID-19 Whistleblower

An employee got fired for pointing out  COVID-19 safety concerns. But now he will get $15,000 in damages because the Occupational Safety and Health Administration (OSHA) ordered the employer to pay him for violating the whistleblower protections of the Occupational Safety and Health (OSH) Act.

Last December 2020 at the time of the COVID-19 pandemic,  a luxury car dealership in Austin, Texas had an employee who found out that another employee tested positive for COVID-19. The employee notified the management and requested the notification of the dealership’s employees immediately to warn them about getting exposed to COVID-19. Management did not take action. Hence, the employee himself emailed all company employees about the situation. For doing that, the employer fired him immediately.

OSHA investigated dealership’s potential violations of the OSH Act, particularly, the whistleblower protections under the OSH Act section 11(c). This provision  protect  employees from the employer’s retaliation when they blow the whistle by pointing out health and safety issues at work. OSHA found that the employee had done what is legally right under the OSH Act and he was terminated illegally.

In October 2021, the U.S. Department of Labor filed a lawsuit against the auto dealership, Hi Tech Imports in the U.S. District Court for the Western District of Texas, Austin Division. The lawsuit demanded reinstatement, payment for lost salaries and benefits due to the termination, refund for costs and expenditures, exemplary or punitive damages, and compensatory damages.

On March 20, 2023, a decision was made requiring Hi Tech Imports LLC, doing business as Porsche Austin, to give the employee $15,000 as compensatory damages. The court also prohibited the dealership to discriminate against employees who will voice concerns regarding health and safety at work.

The U.S. Department of Labor is protective of workers when employers retaliate against them for voicing safety and health concerns, stated Dallas Regional Solicitor of Labor John Rainwater. The department is committed to maintaining safe and healthy conditions in the workplace as demanded by federal legislation.  Employees should not fear their bosses when they report valid safety issues.

OSHA and the National Labor Relations Board settled a similar case on July 26, 2022. Hi Tech Motorcars LLC, Hi Tech Luxury Imports LLC, Hi Tech Imports LLC, Hi Tech Partners LLC agreed to pay $116,231 in back wages and restore the employee to their prior work position.

Conifer  and Tenet Healthcare Faces Lawsuit Over Email Account Breach

Conifer and Tenet Healthcare faces a class action lawsuit over a protected health information (PHI) breach involving thousands of people. The defendants of the lawsuit are Conifer Value-Based Care, Conifer Health Solutions, Tenet Healthcare Corporation, and Conifer Revenue Cycle Solutions. Conifer is a provider of revenue cycle management and value-based care services. All Conifer entities are subsidiaries of Tenet Healthcare. The U.S. District Court Northern District of Texas, Dallas Division filed the lawsuit on behalf of plaintiff Nicole Kolb, and other individuals in the same situation. Joe Kendall of Kendall Law Group, Gary M. Klinger of Milberg Coleman Bryson Phillips Grossman, and Samuel J. Strauss and Raina Borrelli of Turke & Strauss represent the plaintiff and the class.

This class action lawsuit was prompted by a breach of a business email account under Microsoft 365 hosting that was discovered on April 14, 2022. The investigation confirmed the compromise of the account on January 20, 2023. The  compromised email account contained the following data: full names, birth dates, home addresses, medical and treatment data, medical insurance data, and billing and claims details, and the financial account data, Social Security numbers, and driver’s license numbers of some individuals.

The lawsuit claims the defendants were unable to secure highly sensitive information; didn’t have enough monitoring tools in place to identify unauthorized account activity; and were late in sending notification letters for a couple of months. The plaintiff found out that she was  impacted by the data breach on September 30, 2022, over 8 months following the breach incident and over 5 months after discovering the breach. Then there was no remedy offered for the bad effects of the data breach. The lawsuit likewise alleged these three HIPAA Rules violations:

  • a failure to protect the integrity, confidentiality, and availability of electronic protected health information (ePHI)
  • a failure to protect against anticipated threats to ePHI security
  • a failure to protect against likely uses and disclosures of ePHI not allowed by the HIPAA Privacy Rule.

Though the lawsuit was filed due to a breach at Conifer Value-Based Care, which was reported to the HHS’ Office for Civil Rights with 20,642 persons affected, the lawsuit additionally names another Conifer entity, called Conifer Revenue Cycle Solutions, that encountered the same  breach about that time. The breach was reported to the HHS’ Office for Civil Rights  with 134,948 persons affected, which indicates further the inability of the defendants to keep sensitive information secure.

The lawsuit alleges the plaintiff and class members are facing inevitable and impending harm because of a higher risk of identity theft and fraud. The plaintiff needed to spend time addressing the breach consequences, has received more  spam text and telephone calls from the time the breach occurred, has spent more  time tracking her accounts for personal data misuse. Furthermore, the plaintiff faced value diminution of her sensitive information, emotional distress, and anxiety.

The lawsuit clàims negligence, negligence per se, violation of privacy, unjust enrichment, and violations of the  California Consumer Records Act, the California Confidentiality of Medical Information Act, and the California Unfair Competition Law. The lawsuit wants a jury trial, a class action status, injunctive relief, compensatory, exemplary, punitive damages, statutory damages, declaratory and other equitable relief, and attorneys’ fees and legal expenses.

Mount Nittany Health Faces Lawsuit for Alleged Website Tracking Code PHI Breach

Mount Nittany Health operates a 260-bed Medical Center in the State College of  Pennsylvania. It is facing lawsuit for allegedly using tracking code on its website that resulted in the impermissible disclosure of sensitive patient information to third parties like Facebook and Google.

A newly published research study shows 99% of U.S. hospitals have installed  tracking code on their webpages that gathers the information of users while they use the website. Codes are commonly used to evaluate website usage with the purpose of enhancing the website and its  services. The information gathered is sent  to the code vendors and may be sent to third parties like advertisers for the purpose of serving targeted ads and other marketing reasons. A number of health systems and hospitals have submitted data breach reports associated with the use of the code in the last couple of months, including WakeMed Health and Hospitals, Community Health Network, Novant Health, and Advocate Aurora Health. Because of these data disclosures, there are lawsuits filed throughout the country for violation of the Health Insurance Portability and Accountability Act (HIPAA).

Attorney George Bochetto of the law company Bochetto & Lentz filed the lawsuit on behalf of two unnamed plaintiffs, John and Jane Doe, against Mount Nittany Health in Centre County Court in Pennsylvania. The lawsuit alleges that code such as Pixel collected the sensitive data of website visitors and  transmitted it to Meta or other third parties even without the website users’ knowledge or consent. The code transmitted personally identifiable information (PII) and data  obtained from actions done on the websites. From this information, it’s possible to know if a person was a patient and for what treatment.

The lawsuit claims Mount Nittany Health still has tracking codes on its website and users ate not informed regarding  impermissible disclosures. At this time, Mount Nittany Health has not posted any  notification on its website regarding a data breach associated with the use of tracking code. There is also no data breach report  posted on the HHS’ Office for Civil Rights breach website. The lawsuit alleges the  violations of privacy and of the Wiretapping and Electronic Surveillance Control Act, and breach of duty of confidentiality. The lawsuit seeks $1 million in damages.

About the Author

Elizabeth Hernandez
Elizabeth Hernandez is the editor of HIPAA News. Elizabeth is an experienced journalist who has worked in the healthcare sector for several years. Her expertise is not limited to general healthcare reporting but extends to specialized areas of healthcare compliance and HIPAA compliance. Elizabeth's knowledge in these areas has made her a reliable source for information on the complexities of healthcare regulations. Elizabeth's contribution to the field extends to helping readers understand the importance of patient privacy and secure handling of health information. Elizabeth holds a postgraduate degree in journalism. You can follow Elizabeth on twitter at