A jury has awarded a woman $300,000 in damages following a privacy breach at Medical Center Enterprise (MCE), Alabama.
Amy Pertuit’s patient rights were violated when a physician at MCE accessed and disclosed her protected health information to a third party without the proper authorization or consent to do so. This is a breach of HIPAA’s Privacy Rule, which addresses how sensitive patient data may be accessed and disclosed by covered entities (CEs).
The incident occurred in January 2015.
Amy Pertuit filed the lawsuit against Medical Center Enterprise (MCE) in Alabama, a former MCE physician, and an attorney.
According to lawyers for the plaintiff, information was impermissibly disclosed to Amy Pertuit’s husband’s ex-wife by MCR.
At the time of the breach, Amy Petruit’s husband was involved in a custody battle with his former wife, Deanna Mortenson. Deanna Mortenson contacted Dr Lyn Diefendfer, a physician at MCE, and convinced her to pass on Amy Pertuit’s health information. Mortenson wished to use this data against her ex-husband in the custody battle.
Dr Diefendfer accessed Pertuit’s records through the Alabama Prescription Drug Monitoring Program website. Once she obtained the information, she disclosed the data to her attorney, Gary Bradshaw. Dr Diefendfer had no treatment relationship with Pertuit; she did not have the proper authorization to access her medical information. Furthermore, she did not have the proper authorization to pass the information on to her attorney. The physician’s actions constitute a severe breach of HIPAA’s rules.
After discovering that Dr Diefendfer had accessed and disclosed her medical information, Pertuit complained to the Department of Health and Human Services’ Office for Civil Rights. OCR put the hospital on notice. MCE subsequently failed to implement appropriate sanctions against Dr Diefendfer, who accessed further health information in 2016 and disclosed that information to her attorney.
The plaintiff’s lawyers also said the hospital’s privacy officer had investigated Dr Diefendfer and discovered 22 separate violations of hospital policies and HIPAA Rules.
The lawsuits filed against Dr Diefender, Deanna Mortensen, and Gary Bradshaw were all settled out of court. The case against MCE went to a jury trial.
The jury unanimously found MCE had failed to take appropriate action against Dr Diefender after the discovery of the privacy violation and awarded the plaintiff $295,000 in punitive damages and a further $5,000 as compensation for pain, suffering, and humiliation.