Sutherland Healthcare Solutions is facing a lawsuit that’s seeking class-action status. It is the outcome of an office burglary where computers were stolen, resulting in the loss of protected health information (PHI) for approximately 168,500 people. PHI encryption software was not used, apparently, as one of the complaints is that the “company failed to encrypt the data stored on the computers.”
Allegations and Compensation
In addition to the lack of encryption software, the use of which is a core component of HIPAA’s guidelines for securing data, the lawsuit alleges that, per latimes.com, Sutherland didn’t notify patients of the data breach “in a timely fashion” and did not provide enough relief (the words “woefully insufficient” are quoted).
The lawsuit is seeking further “compensation” in the form of:
additional credit monitoring and credit repair services, identity theft insurance, home security systems and other costs for the patients whose data was taken. It also asks the court to order the county to require more stringent procedures to protect private and confidential data in future contracts.
I tend to side with the ultimate victims in such cases. to be honest (“ultimate victims” because Sutherland is a victim, too, although it’s doubtful that they’ll have to worry about their credit history being trashed), but home security systems? According to an earlier story, the following information was on the stolen computers, but free ADT services sounds like overdoing it a tad:
The computers contained data including patients’ first and last names, Social Security numbers and certain medical and billing information, and they may also have included birth dates, addresses and diagnoses. [latimes.com]
Of course, when eight computers (and two monitors) are stolen, it’s kind of a miracle that this was the extent of the breach.
PHI Encryption: Where Was It?
The surprising aspect of this story, however, is the lack of encryption on these computers. Why would they not be encrypted? Sutherland, who did billing and collections for the state (more specifically, for LA county) would have been tagged as business associate under HIPAA rules. This means that Sutherland would have to comply with pretty much all aspects of HIPAA, and one of the basic, core practices is to encrypt any computers that store PHI.
It’s so basic that there really shouldn’t be a reason why people should be reminded of it. On the other hand, people seem to have problems understanding the importance of fastening seat belts, so, perhaps I shouldn’t be surprised.
And, Sutherland shouldn’t be surprised that they’re being sued because of it, either.
Chances are, though, that Sutherland will win the suit before it even has its day in court. To date, not a single lawsuit stemming from a HIPAA data breach has been won by plaintiffs.
Related Articles and Sites: