Atlanta Women’s Health Group faces legal action following its alleged delay in notifying tens of thousands of patients about a data breach compromising protected health information (PHI). The delay, spanning nearly a year from the April 2023 breach, has led to a proposed class action lawsuit against the OB/GYN practice.
What happened
The OB/GYN practice, serving approximately 300,000 patients annually, experienced a data breach in April 2023, with notification to victims only occurring in January 2024. The breach, attributed to inadequate cybersecurity, exposed patients' names, dates of birth, medical histories, and more, including patient ID numbers and other information typically found in medical records. To date, the practice has not provided an explanation for the significant delay in notifying affected individuals.
The backstory
Atlanta Women’s Health Group’s email notification regarding the data breach confirmed unauthorized access to specific files containing PHI. Despite forensic inquiry findings indicating the security of its electronic health record systems, certain PHI within the accessed files was compromised. The lawsuit alleges that with proper cybersecurity measures, the cyberattack and data breach could have been prevented.
Additionally, although the Department of Health and Human Services’ Office for Civil Rights was promptly notified within 60 days of discovery, Atlanta Women’s Health Group took 10 months to notify the plaintiff and class members, with no explanation for the delay.
What was said
The class action suit alleges, "Due to Defendant’s inadequate data security, which breached duties imposed by law, unauthorized third parties gained access to Defendant’s computer network and to highly valuable and highly sensitive PII and PHI belonging to Plaintiff and the Class Members."
Furthermore, the email notice sent on January 30, 2024, “does not provide… any proof that the ‘unauthorized user’ in fact ‘permanently deleted all compromised data.’”
As a result of the defendant’s unreasonable and insufficient data security practices, plaintiffs have suffered “present injury in the form of actual misuse of their [PHI] and have further been exposed to an ongoing substantial, heightened, and imminent risk of financial fraud and identity theft for years to come.”
Why it matters
This breach shows the importance of HIPAA compliance in safeguarding patient privacy and draws attention to the broader issue of cybersecurity flaws in the healthcare sector. Due to Atlanta Women’s Health Group's insufficient data security, patients face misuse of their PHI as well as continued, significant, and imminent risk of financial fraud and identity theft for the foreseeable future.
Related: HIPAA Compliant Email: The Definitive Guide
