The Indiana Law Blog: Ind. Law - Suit involving hospital system loss of records

« Ind. Decisions - Supreme Court decides case involving arbitrator's award | Main | Ind. Decisions - Supreme Court denied transfer in Bob Knight open door case »

Wednesday, November 01, 2006

Ind. Law - Suit involving hospital system loss of records

"Letter warns patients of mishandled personal data" was the headline of an AP story published last Wednesday, Oct. 25. Some quotes:

INDIANAPOLIS — A hospital system has begun notifying at least a quarter-million patients of its Indiana and Illinois hospitals that a medical records contractor lost compact discs containing their Social Security numbers and other personal information.

However, officials at the Sisters of St. Francis Health Services say the lost CDs were recovered, and they do not believe any of the information was improperly accessed.

A letter to patients of the system, which operates 10 hospitals in Indiana and two in Illinois, says that in July, an employee of a medical billing contractor copied the data onto several CDs and placed them in a new computer bag to work from home.

That employee later decided the bag was too small and exchanged it at a store, accidentally leaving the discs inside, the letter said.

Lisa Decker, a spokeswoman for St. Francis subsidiary Greater Lafayette Health Services, said the person who later bought the bag immediately returned the discs to the company. * * *

The letter to patients urged them to check their credit reports. * * *

St. Francis operates hospitals in Indianapolis, Crawfordsville, Crown Point, Dyer, Hammond, Lafayette, Michigan City and Mooresville and the Illinois cities of Chicago Heights and Olympia Fields.

Yesterday, a second AP story reported:

INDIANAPOLIS (AP) -- An Indiana man has sued a hospital system over a security lapse that may have exposed the private information of more than 260,000 patients.

Greenwood resident Michael Chaney claims that The Sisters of St. Francis Health Services Inc. and its contractor violated federal HIPAA privacy laws and failed "to take reasonable corrective action" such as promptly notifying patients of the breach.

Attorneys for Chaney are seeking class-action status for the suit, filed Friday in U.S. District Court in Indianapolis, so it could represent thousands of other people whose information may have been exposed. The suit seeks damages including no less than $5,000 for each affected class member.

HIPAA is listed as the basis of the suit. There is no mention in the stories of whether the legislation enacted last year by the Indiana General Assembly concerning identity theft also forms a part of the complaint. For background on that law, start with this ILB entry from July 27, 2006.

Posted by Marcia Oddi on November 1, 2006 07:54 AM
Posted to Indiana Law