Healthcare News & Insights

IT error leads to $31.8 million lawsuit against hospital

A class action lawsuit was recently filed against St. Joseph Health System of Orange, CA, after an IT error allowed private medical information about 31,800 patients to be searchable by the public online. 

The suit, filed by two allegedly affected patients in Sonoma County Superior Court, seeks $1,000 in damages per patient, for a total of $31.8 million. The complaint claims the health system was negligent and failed to preserve the confidentiality of the patients’ information, in violation of California’s Confidentiality of Medical Information Act.

This suit is one of five that have been filed against St. Joseph Health, the Santa Rosa Press Democrat reports.

The security incident was first reported in early February, when patients were notified that their data had been breached. Information made searchable included patient names, lab results and diagnoses, among other data.

One of the patients who filed the lawsuit discovered the breach on her own after she conducted a Google search for her own name and found her medical information on a hospital’s website.

How did that information end up becoming accessible through Google searches? One issue was that the data was held in the health system’s network without being password-protected or encrypted. In its initial notification to patients, St. Joseph Health acknowledged that security settings were “incorrect,” allowing the information to be searchable.

As this case shows, errors in setting security and other configurations can cause huge problems for healthcare organizations. A similar lesson was learned in a breach of information in Utah’s Medicaid system, when an unspecified configuration error left data about nearly 800,000 individuals open to attack from data thieves.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.