In September 2021, Jackson County Schneck Memorial Hospital (Schneck Medical Center) in Indiana disclosed that they had been a victim of a cyberattack. Their first statement is no longer available on their website but was archived by a news site. That statement did not disclose that personal and protected health information had been accessed and acquired. Nor did Schneck Medical Center (SMC) tell patients what they should do to protect themselves. A subsequent statement in November 2021 also omitted critical information patients needed to assess their risk and to protect themselves.
It wasn’t until May 2022 that Schneck first notified 92,311 patients that their information had been compromised: full names, addresses, dates of birth, medical record and/or other internal identification numbers, driver’s license/state identification numbers, medical diagnosis and conditions, and for some patients, Social Security numbers, financial account information, and/or payment card information. Their notification did not explain why they claimed there was no evidence of misuse of the data or that it would be misused. And they did not explain the significant delay in notification. Indiana law requires notification within 45 days of discovery. Schneck had taken more than seven months.
In June 2022, Schneck was sued in a potential class-action lawsuit.
On June 6, the state also sued Schneck, alleging violations of HIPAA, the Indiana Disclosure of Security Breach Act, and the Indiana Deceptive Consumer Sales Act. The suit claimed that “a HIPAA risk analysis completed in December 2020 put SMC on notice of many critical security issues that contributed to the Data Breach the following year. SMC had actual knowledge of and failed to address these security issues.”
The first three counts of the complaint detail how Schneck failed to comply with the requirements of HIPAA’s Security Rule, HIPAA’s Breach Notification Rule, and HIPAA’s Privacy Rule. The remaining two counts detail how Schneck violated the two state statutes, stating, at one point, “SMC explicitly and implicitly misrepresented that its systems were secure and compliant, when SMC knew they were not.”
The lawsuit was quickly settled without further litigation, with Schneck consenting to a judgment and order that requires them to pay $250,000 to the state, and to comply with the requirements of HIPAA and the two state statutes. The required behaviors are detailed in the consent order.
Two of the take-home lessons from this lawsuit for HIPAA covered entities and business associates:
- If you claim you are keeping data private and secure, but you know you have not patched or addressed known vulnerabilities, you may be violating state or federal laws about deceptive marketing.
- If your risk assessment alerts you to critical or serious vulnerabilities and you do not address them, your state may initiate a HIPAA enforcement action against you. Remember that HIPAA authorizes state attorneys general to pursue enforcement. And if you are a covered entity or business entity serving patients in more than one state, how many state attorneys general may initiate lawsuits against you?