Medical Records accessed without permission

[Taxing Matters]

The sole remedy to get any money damages would under NC state law. The federal Health Insurance Portability and Accountability Act (HIPAA) provides you only one remedy for a violation—filing a complaint with the U.S. Department of Health and Human Services. cbg already gave a link for that. Thus you'd have to find a cause of action under NC law and pursue that in state court. The problem is that all you get in most civil actions is money to compensate you for the actual harm caused, known in the law as damages. I'm not seeing any damages so far in what you've provided. So unless the state provided a statutory remedy that gives a money claim without suffering any damages I'm not seeing anything worthwhile to do in this instance beyond making the HHS complaint. I have not, however, looked at the NC statutes to see if there is any provision for statutory damages in this situation. If you want to explore that possibility I recommend you consult a local civil litigation attorney. You'd look for an attorney who handles personal injury cases. If they keep telling you they don't handle those kinds of cases that's a pretty good indicator that there's nothing substantial to get under state law.

 

[quincy]

I have been calling lawyers to see if there is anything we can do, but none of them handle this type of case. Not sure how to find one that does.

You can look for attorneys who handle invasion of privacy cases. There are several in North Carolina practicing in this specialized field of law.

https://www.ncbar.gov/for-the-public/finding-a-lawyer/

Before setting up appointments, ask the attorneys/their office clerks about free initial consultations (and the time allotted for the free consultation).

 

[Mark_A]

My suspicion is that many patients were involved in this breach of patent confidentiality and Duke University Health Care was required by law to inform those affected that it happened. If so, this would be a case for a class action lawsuit, so try and find law firms that handle those type of cases and see what the status is, and whether there are any law firms already working on this.

 

[quincy]

My suspicion is that many patients were involved in this breach of patent confidentiality and Duke University Health Care was required by law to inform those affected that it happened. If so, this would be a case for a class action lawsuit, so try and find law firms that handle those type of cases and see what the status is, and whether there are any law firms already working on this.

Anna3217 said that “an employee” accessed the health information without authorization. Nothing suggests a class action suit is possible.

With most security breaches, unless there is tangible harm suffered, what is offered to those whose personal information is breached will be free credit monitoring and ID protection services.

If you want a bit of a reality check on how safe your personal information is, here is a link to the US Department of Health and Human Services “Breach Portal” which lists health information breaches.

https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

 

[adjusterjack]

I have been calling lawyers to see if there is anything we can do, but none of them handle this type of case. Not sure how to find one that does.

That's a nice way for a lawyer to tell you there's no money in it.

If you can find a lawyer to do it, it won't be on a contingency. You'll have to pay a retainer of many thousands against an hourly rate of $300 to $500.

Are you prepared to spend that kind of money?

 

[not2cleverRed]

I do not think you have a (meaningful) beef with the hospital: they detected an employee who was doing something wrong, and informed you. Did they indicate in their letter that disciplinary action was taken? For example, is this a "former employee", or has the party been reassigned to a job where they no longer have access to sensitive records?

Your beef should be with the employee that misused their access to hospital records. None of us know why they did this, whether you were the only one, or how the hospital came to know that they were doing this.

You have not indicated in your thread that you how harmed by this action (beyond potential embarrassment) - like, was your information given/sold to another party for commercial purposes, etc.? Is there a potential for it to damage you within your occupation? What will the cost of therapy be to recover from the damage? (Is this person spreading rumors about you, based on the ill gotten information? If you feel that you are being driven to self harm, do get help.)

If you are reasonably sure of who the person is, ask the lawyers you've consulted about a cease and desist letter. This will cost you a modest sum. This will not result is a windfall for you, but could scare the pants off the recipient.

 

[Mark_A]

Anna3217 said that “an employee” accessed the health information without authorization. Nothing suggests a class action suit is possible.

Before I posted that, I did a Google search and apparently Duke University Health Care has some data breaches recently. I clearly said it was my suspiciion that other patient records were involved, not that I know that for a fact. That is why I suggested that the OP do some research and possibly contact lawyers who specialize in Class Action Lawsuits to find out if they know anything, I find it hard to believe that Duke University Health Care would know if just one employee only accessed only one patient's record inappropriately.

 

[Zigner]

I find it hard to believe that Duke University Health Care would know if just one employee only accessed only one patient's record inappropriately.

I agree in general, but the OP indicated that they believe they know who accessed the records. Someone there has a beef with the OP, and that's who the OP thinks is involved.

 

[Mark_A]

I agree in general, but the OP indicated that they believe they know who accessed the records. Someone there has a beef with the OP, and that's who the OP thinks is involved.

OP said "I most likely know who did it. Do you know if the hospital has to tell me who it is?"

I am still skeptical. I get letters about data breaches all the time from various financial institutions saying my confidential data has been breeched. They are usually required to send out notices when this happens.

 

[LdiJ]

OP said "I most likely know who did it. Do you know if the hospital has to tell me who it is?"

I am still skeptical. I get letters about data breaches all the time from various financial institutions saying my confidential data has been breeched. They are usually required to send out notices when this happens.

Organizations generally know when there has been a mass data breach. They don't necessarily know (at least at the time) if someone has accessed one file inappropriately.

 

[Taxing Matters]

My suspicion is that many patients were involved in this breach of patent confidentiality and Duke University Health Care was required by law to inform those affected that it happened. If so, this would be a case for a class action lawsuit, so try and find law firms that handle those type of cases and see what the status is, and whether there are any law firms already working on this.

Even if it was a wide spread breach, I'm not as confident as you seem to be that there is a viable class action to be had.We lack a lot of essential information. First, the OP didn't state, and likely does not know at this point, exactly what data the employee accessed. Second, we don't know what, if anything, the employee did withh the data. Third, while you may suspect that more than one patient was affected, the OP hasn't stated that and there is nothing in the post that hints at the answer to that question one way or the other. Fourth, we don't know, what, if any damages were suffered by those affected by the breach. The NC class action rule requires not only the nature of the claim be common among the class but also that they were all similarly affected by the breach. The University of North Carolina has a detailed explanation of the NC class action rule that shows the hurdles a case has to clear to be certified as a class action.

In short, all we know at this point is that the OP's information was improperly accessed by an employee. That's not nearly enough to know if the OP has a viable legal claim at all let alone whether there may be the possibility of a class action. There's an awful lot of information needed to get from what we have now to make a reasonable call on whether a class action might be appropriate.

I encourage the OP to meet with a personal injury lawyer or, if there is one, a NC attorney who focuses their practice to just identity theft and data breach cases to see what options may exist and what additional information is needed to know is there is even a worthwhile individual case to bring here. But go into any meeting with a lawyer with realistic expectations. Keep in mind that what you might hear is that there is no good legal case to pursue out of this.

 

[Mark_A]

Even if it was a wide spread breach, I'm not as confident as you seem to be that there is a viable class action to be had.We lack a lot of essential information. First, the OP didn't state, and likely does not know at this point, exactly what data the employee accessed. Second, we don't know what, if anything, the employee did withh the data. Third, while you may suspect that more than one patient was affected, the OP hasn't stated that and there is nothing in the post that hints at the answer to that question one way or the other. Fourth, we don't know, what, if any damages were suffered by those affected by the breach. The NC class action rule requires not only the nature of the claim be common among the class but also that they were all similarly affected by the breach. The University of North Carolina has a detailed explanation of the NC class action rule that shows the hurdles a case has to clear to be certified as a class action.

In short, all we know at this point is that the OP's information was improperly accessed by an employee. That's not nearly enough to know if the OP has a viable legal claim at all let alone whether there may be the possibility of a class action. There's an awful lot of information needed to get from what we have now to make a reasonable call on whether a class action might be appropriate.

I encourage the OP to meet with a personal injury lawyer or, if there is one, a NC attorney who focuses their practice to just identity theft and data breach cases to see what options may exist and what additional information is needed to know is there is even a worthwhile individual case to bring here. But go into any meeting with a lawyer with realistic expectations. Keep in mind that what you might hear is that there is no good legal case to pursue out of this.

I didn't say that there was a viable class action to be had. I suggested that legal claims for these kind of data breeches are usually handled by class action lawsuits, and that the OP might want to check around and see if there is one active or being planned against the Duke medical facility, which might be the best way to determine whether there is a viable case. Yes, I am guessing that more than one person's records was inappropriately accessed, but I could be wrong. I don't think the OP knows either (if you read his posts carefully).

It's pretty easy to find law firms that specialize in class action lawsuits, and one could probably send them an email asking if they know of any actions against Duke Healthcare for a data breach or inappropriate accessing of records. Even if there is a class action lawsuit being pursued, and even if it results in a settlement, if there are lots of members of the class action (there usually are) then the payout after the attorneys get their share, is likely to be pretty small. I have been invited by law firms to join a class action lawsuit probably 15 times over the years for various things, and got very small checks maybe 3-4 times.

 

[quincy]

… It's pretty easy to find law firms that specialize in class action lawsuits, and one could probably send them an email asking if they know of any actions against Duke Healthcare for a data breach or inappropriate accessing of records. Even if there is a class action lawsuit being pursued, and even if it results in a settlement, if there are lots of members of the class action (there usually are) then the payout after the attorneys get their share, is likely to be pretty small. …

Anna3217 said she has already called attorneys. She certainly can call more if she wants to but emailing attorneys, without a prior relationship with the attorney, is likely to get the email a one way ticket to a spam folder.

 

[Mark_A]

Anna3217 said she has already called attorneys. She certainly can call more if she wants to but emailing attorneys, without a prior relationship with the attorney, is likely to get the email a one way ticket to a spam folder.

Due to the large number of plaintiffs involved in a class action lawsuit, almost all of the contact between lawyers and members of the class action is done via the Internet, emails, or US mail. Like I said, I have been part of about 15 class action lawsuits over the years, and never once did I personally speak with a lawyer, and all contact was done via the Internet, email, or US mail. Most of time the lawyers contacted me first, having obtained the names, addresses, emails, etc of affected potential plaintiffs from the defendant (probably by court order).

There are websites that allow one to search for existing class action lawsuits, but I did not see one related to Duke University Health Care. But whatever happened to the OP may be so new, that not enough time has elapsed to start a class action lawsuit, or perhaps the OP is the only one affected (in which case a Class Action is not appropriate). So the OP needs to find out more about what actually happened, and how many patients were affected.

Hiring a lawyer and going it alone is probably not a good option, unless there was some medical malpractice involved that caused injury to the patient, and in that case a Personal Injury lawyer should be contacted. A Personal Injury lawyer is not likely to take a case related to HIPPA violations, since Personal injury lawyers are typically paid on a contingency fee basis, meaning they only get paid if they win the case for their client, and they are looking for cases with fairly large damage claims.

If the OP finds out that multiple patients were affected by this, then one can google "How to Start a Class Action Lawsuit" and find several law firms who will prompt one to entire in information on their website for them to investigate and get back to one with their legal analysis. I can assure you that the people who own these websites are licensed attorneys.

 

[quincy]

As a reminder, there is no indication given by Anna that there is any support for a class action lawsuit. The class action discussion is just a detour Mark_A decided to take.