ST. LOUIS (CN) – A hospital and cancer center allowed a laptop computer stuffed with unencrypted, confidential information on its patients to be stolen, and did not notify patients of the data theft for 8 weeks, patients say in a class action.
Named plaintiff Rita Barricks claims the laptop was stolen during the weekend of Dec. 4, 2010 from Barnes-Jewish Hospital dba The Siteman Cancer Center, a joint venture between Washington University and Barnes-Jewish Hospital.
Barricks says the computer contained patients’ names, addresses, phone numbers, birth dates, Social Security numbers, medical records, diagnoses, lab results, email addresses, insurance information and employment information.
“WashU and BJC have a policy of encrypting the sensitive information of plaintiffs,” according to the complaint City Court. “However, the stolen laptop was unencrypted and contained unencrypted sensitive information.”
Barricks claims the defendants immediately knew about the theft, but waited 8 weeks – until Jan. 28 – to inform patients.
During that time, Barricks says, her identity was stolen.
“The identity theft involved unauthorized attempts to access plaintiff’s online banking account, application of unauthorized charges to plaintiff’s bank account, and unauthorized access to plaintiff’s email account for the purpose of soliciting money from some or all of plaintiff’s email contacts,” the complaint states.
Barricks claims the defendants’ offer to monitor patients’ credit through TransUnion TransCredit for 1 year is “woefully insufficient,” because identity theft victims often face years of theft, not to mention the humiliation of having her confidential medical information hacked.
She claims the defendants, which include Washington University and its medical school, violated the Health Insurance Portability and Accountability Act by failing to maintain an adequate security system; failing to encrypt patients’ sensitive information; failing to implement policies that allowed access to electronically stored health information only to those granted access; and failing to prevent removal of electronically protected health information from its facility.
Barricks seeks damages and restitution for identity theft and an injunction requiring the defendants to collect and store patients’ data according to HIPAA standards.
The class is represented by Neil Smith of Clayton, Mo.