A Pennsylvania judge dismissed the health data breach lawsuit that had been filed against the University of Pittsburgh Medical Center (UPMC) last year.
Former UPMC employees filed the lawsuit after a data breach compromised the information of approximately 27,000 employees. The suit alleged that UPMC and its payroll vendor breached its duty to protect private employee information and exposed those employees to tax return fraud.
As previously reported on HealthITSecurity.com, there were 788 known cases of employees being victims of tax fraud. While no patient information was reportedly compromised, the lawsuit claimed that UPMC failed to safeguard and prevent vulnerabilities from being taken advantage of in its computer system.
However, Common Pleas Judge R. Stanton Wettick said in his opinion that UPMC also was a victim of the cyber attack, according to a TribLive report. Moreover, Wettick said that an improved system for storing confidential information would not have necessarily prevented the health data breach.
Wettick added that , there was no “meeting of the minds” in which UPMC agreed to be liable for such security breaches.
No healthcare organization wants to be responsible for a health data breach, regardless of whether it affects employees, patients, or both. However, cases like this are good examples of why comprehensive and current business associate agreements need to be established.
This topic was discussed at HIMSS15, and it was also highlighted how a covered entity could have more difficulty in recovering after a data breach. Keeping track of BA relationships can be a challenge for large covered entities, according to Gerry Hinkley, a partner at Pillsbury Winthrop Shaw Pittman LLP and Deven McGraw, JD, MPH, LLM, partner at Manatt, Phelps & Phillips LLP.
The HITECH Act also impacted CE and BA relationships, the duo stated. Vendors of cloud storage services are now more likely to consider themselves a BA, which is different than before the Act. Moreover, certain CEs will view BA direct accountability as a positive development, while others do not see it making a huge difference.
Even so, there are cases where lawsuits caused from a health data breach will lead to either a covered entity or its business associate having to pay money for a settlement. For example, Stanford Hospital & Clinics and a former contractor had to pay more than $4 million to settle a class action lawsuit from an incident in 2010.
Approximately 20,000 emergency room patients’ data became available in 2010 on a third-party student homework website, which violated California’s Confidentiality of Medical Information Act (CMIA). Credit card information and Social Security numbers were were not exposed, but medical record numbers, hospital account numbers, billing charges, as well as emergency room admission and discharge dates were potentially compromised.
According to the agreement, Stanford would create a program dedicated to improving its security posture by training vendors on how to best protect patient privacy.
View the original content and more from this author here: http://ift.tt/1JqnjtS
from health IT caucus http://ift.tt/1IcWfwv
via IFTTT
No comments:
Post a Comment