BALLSTON SPA, N.Y. (CN) - An upstate New York hospital exposed patients to unauthorized snooping when doctors' notes became accessible through a vendor's computer server, a class action claims in state court.
Lead plaintiffs Dara Halliday and Teresa Green discovered the breach when they typed their names into Google's search engine and saw links to confidential health information, they claim in Saratoga County Supreme Court.
They say the information included notes on their treatment, medications, physical exams and laboratory reports from visits to the family health centers or physician practices run by Glens Falls Hospital. The records are stored electronically.
The 400-bed hospital, which bills itself as the largest between Albany and Montreal, operates more than two dozen health centers and physician practices in six counties surrounding Glens Falls.
A notice posted on the hospital's website says it learned of the security breach in mid-March and began an investigation. A computer forensics expert discovered that a server used by Portal Healthcare Solutions, a third-party vendor, was left unsecured between Nov. 2 and March 14.
According to the notice, transcribed doctors' notes containing medical information on 2,360 patients could have been accessed during the four months. The reports did not include Social Security numbers, financial account information or home addresses, according to the hospital.
"We have terminated Portal's services and the vendor no longer does business with our hospital," states the notice, which included a toll-free telephone number for inquiries about the breach.
The hospital and Portal, dba Portal Ascend Group, are named as defendants in the class action. Also named is Carpathia Hosting.
Both Portal and Carpathia are based in suburban Washington, D.C. Portal, which offers clinical documentation services for health care providers, is a client of Carpathia, which provides electronic medical record hosting services. Carpathia maintained the hospital's records on a server in Ashburn, Va., according to the complaint.
The class claims the hospital alerted the plaintiffs to the breach in an April 3 letter that indicated it could not determine whether any of the women's medical information had actually been viewed.
An online blog cited by the complaint, PHIprivacy.net, reported that Portal's CEO said firewall settings had left a server vulnerable to unrestricted access but that an examination of the logs showed no access or downloads.
The complaint calls those statements "false," and claims the defendants "concealed from patients the true scope and nature of the data breach that compromised and/or disclosed their medical records."
It accuses the defendants of gross negligence, for failing to safeguard and monitor the electronic files.
"As a direct and proximate result of defendants' negligence, plaintiffs have been injured, and said injury was foreseeable," the complaint states.
The plaintiffs seek monetary damages and expenses "for credit and identity-theft monitoring and insurance, periodic credit reports, anxiety, emotional distress, loss of privacy and other ordinary, incidental and consequential damages as would be anticipated to arise under the circumstances."
They also seek punitive damages, claiming "(t)he acts of defendants have been intentional, willful, wanton, illegal and done with conscious and deliberate disregard for the health, safety and rights of plaintiffs."
They also seek an injunction to prevent destruction of any electronic files related to the breach, including the server logs. They want an independent computer forensics auditor to assess the breach, and defendants ordered to retrieve any patient records that were accessed.
The plaintiffs are represented by Donald Boyajian and James Peluso of Dreyer Boyajian in Albany.
Read the Top 8
Sign up for the Top 8, a roundup of the day's top stories delivered directly to your inbox Monday through Friday.