Mo. Hospital Failed to Protect PHI, PII of Patients in Data Breach: Class Action
A Liberty, Missouri, hospital “disregarded” Dan Cook's rights by “intentionally, willfully, recklessly, or negligently failing to take and implement adequate and reasonable measures” to protect his personal health (PHI) and personally identifiable information (PII), alleged Cook's class action Wednesday (docket 4:24-cv-00134) in U.S. District Court for Western Missouri in Kansas City.
Liberty Hospital posted a notice to its website Feb. 9, announcing a Dec. 18 data breach, discovered on Dec. 19, in which an unauthorized actor “may have viewed or taken certain information” stored on its network. The type of information accessed “varies per person” but includes individuals’ names, and demographic, medical and treatment information, the notice said.
Cook was unaware of the data breach before seeing the website notice, the complaint said. A fraudulent charge on his debit card in December “is particularly concerning” given the proximity to the hospital’s data breach, said the complaint. The Liberty resident was injured in the form of lost time dealing with the consequences of the breach, including time spent verifying its legitimacy and impact, exploring credit monitoring and identity theft insurance, monitoring his accounts and seeking legal counsel regarding options for remedying effects of the breach, it said.
Cook was also injured by risk to future harm based on the breach, the complaint said. The data involved, including PHI, is “highly sensitive and presents a high risk of identity theft or fraud,” it said. It’s likely, given Liberty Hospital’s clientele, that some of the class’ information that has been exposed “has already been misused,” it said. The plaintiff has suffered injury in the form of damage to the value of his PHI/PII, “intangible property” that he entrusted to the hospital, it said. He has increased anxiety over his loss of privacy and the impact of cybercriminals accessing, using and selling his PHI and PII, it said.
The hospital breached its duty to notify Cook and class members of the breach by waiting months after learning of the incident to notify them and then by “failing and continuing to fail” to provide them sufficient information about it, the complaint said. To date, Liberty has not provided sufficient information regarding the extent of the unauthorized access, it said.
Liberty Hospital could have prevented the data breach by “adequately securing and encrypting and/or more securely encrypting its servers,” the complaint said. Its negligence is “exacerbated by repeated warnings and alerts directed to protecting and securing sensitive data, as evidenced by the trending data breach attacks in recent years,” it said.
Claims for relief include negligence; breach of implied contract and implied covenant of good faith and fair dealing; and unjust enrichment. Cook seeks orders requiring Liberty Hospital to encrypt all data collected for business in accordance with applicable regulations, industry standards and local, state and federal laws and to implement a comprehensive information security program. He also seeks actual, nominal, and consequential damages, prejudgment interest, and attorneys’ fees and costs. Liberty Hospital doesn't comment on pending litigation, a spokesperson emailed Thursday.