The recent data breach at Cardiovascular Associates, a cardiology practice in Birmingham, Alabama, serves as a stark reminder of the true cost of ignoring compliance and cybersecurity measures. In late 2022, they suffered a serious data breach that compromised the sensitive data of 441,640 patients.
The Security Incident
Unauthorized individuals gained access to the network over the period of a week and removed files containing sensitive patient information. After discovering the breach on December 5th, Cardiovascular Associates took swift action to contain the breach and prevent further unauthorized access. They enlisted the help of a leading digital forensics firm to conduct a comprehensive investigation into the breach where they confirmed the data theft had indeed occurred.
The Information Accessed
While the extent of the data compromised varied from patient to patient, the affected files contained a wide range of sensitive information including:
- Full names
- Birth dates
- Social Security numbers
- Health insurance information
- Medical record numbers
- Dates of service
- Provider and facility names
- Visit, procedure and diagnosis information
- Medical tests results and images
- Billing and claims information
- Passport numbers
- Driver’s license numbers
- Credit and debit card information
- Financial account information
A limited number of patients had their usernames and passwords compromised.
The 10 Causes of Action
In addition to the devastating impact on patient privacy, this data breach led to the filing of ten causes of action against Cardiovascular Associates, highlighting the various legal grounds on which the affected patients can seek compensation for the harm caused by the breach. These include:
#2: Negligence Per Se
Negligence and negligence per se involve the failure of Cardiovascular Associates to adequately protect patient information and comply with relevant data protection laws.
#3: Breach of Implied Contract
#4: Breach of Fiduciary Duty
Breach of implied contract and breach of fiduciary duty relate to the failure of the practice to uphold its obligations to patients to keep their personal and medical information secure.
#5: Unjust Enrichment
Unjust enrichment and wantonness involve the practice’s alleged gain at the expense of patients’ privacy and the alleged recklessness in its handling of sensitive information.
#7: Intrusion Upon Seclusion
#8: Invasion of Privacy
#9: Violation of the Alabama Deceptive Practices Act
Intrusion upon seclusion, invasion of privacy, and violation of the Alabama Deceptive Practices Act relate to the alleged invasion of patients’ privacy rights and the misrepresentation of the practice’s data protection measures.
#10: Declaratory Judgment
Finally, declaratory judgment seeks a declaration from the court on the rights and obligations of the parties involved in the data breach.
As the legal process unfolds, it is clear that the true cost of ignoring compliance and cybersecurity measures can be significant, not just in terms of the reputational damage and financial costs incurred by the practice, but also the potential legal liabilities and harms suffered by affected patients. It is imperative that healthcare providers (really all organizations) take their data protection obligations seriously and implement robust security measures to safeguard sensitive information.
Get a Second Opinion Today!
If you’re concerned your organization isn’t following compliance regulations or you might fall victim to a data breach, then let’s talk! You can book a COMPLIMENTARY second opinion with Phillip. Please select a date and time from his calendar below.
How to Protect Your Company’s Reputation After a Data Breach
Phillip Long – CISSP, CEO of BIS Technology Group, along with his team of marketing and information technology experts, will walk you through an overview of what your business should be doing to protect your data and plan your digital marketing strategies.
You may reach out to us at: