A class action lawsuit submitted after a staff-member related data breach at Flowers Hospital in Dothan, Alabama in 2014 is likely to be settled. The settlement is awaiting final court approval, although approval seems imminent and a resolution to this four-year legal battle is now achieveable.
Unlike the majority of class action lawsuits filed over the exposure/theft of PHI, this case involved the theft of data by an insider rather than a cyber criminal. Additionally, the former staff member used PHI for identity theft and fraud and was convicted of those crimes.
The breach occurred when a former lab technician, Kamarian D. Millender, who was found in possession of paper records the included patients protected health information. Millender admitted to using the data for identity theft and for filing false tax returns in victims’ names. In December 2014, Millender received a two-years prison sentence.
In the class action lawsuit, filed in 2014, it was alleged that between June 2013 and December 2014, paper records were left unsecured and unguarded at the hospital and could have been taken by staff members or third parties. In the case of Millender, that is exactly what occurred.
Flowers Hospital tried to have the lawsuit struck out, although that attempt was unsuccessful and the lawsuit was awarded class action status in 2017. The decision has now been taken to settle the legal action. The hospital has offered a fund of up to $150,000 to cover out-of-pocket expenses incurred by the 1,208 individual affected by the breach. The settlement would provide each class member with up to $250 each, although claims up to an overall value of $5,000 would be reviewed.
In order to be eligible to receive the compensation offered, class members would need to file valid claims. A valid claim would require a breach victim to show evidence that they purchased credit monitoring or identity theft protection services in response to being alerted about the breach.
Furthermore, breach victims would be permitted to claim money for the time they spent arranging those services – up to four hours of documented lost time – the cost of receiving credit reports, and any un-reimbursed interest due to a delayed tax refund as a result of there being a fraudulent tax return submitted between June 2013 and the claims deadline. The settlement does not incorporate any punitive damages.
If it happens that the total claims amount exceeds the allocated $150,000, all claims would be lowered, pro rata, so that the total claims value would not be more than $150,000.