Chaney v. SISTERS OF ST. FRANCIS HEALTH SERVICES, INC, et. al. - October 27, 2006 - Complaint

PARTIES:

THE COURT


Download PDF

View Incident

Full Text of Document

IN THE UNITED STATES DISTRICT COURT
FOR THE SOUTHERN DISTRICT OF INDIANA 27 PH 4:49
INDIANAPOLIS DIVISION
MICHAEL 1. CHANEY, individually, and on behalf ofothers similarly situated, ) ) , , ," ,1""'" . " ,~, ,; ;)
) CLASS ACTION COMPLAINT
Plaintiffs, )
v. ) CASENO.
)
SISTERS OF ST. FRANCIS HEALTH SERVICES, INC., )
GREATER LAFAYETTE HEALTH SERVICES, INC., )
::tTN~~~~E~6~~~i~~~Y' INC., lj: 06-cv-1583 -SEB -VSS
JANE DOE, individually and as an employee, )
)
Defendants. ) CLASS ACTION COMPLAINT I. PRELIMINARY STATEMENT

Plaintiff Michael 1. Chaney brings this cause of action pursuant to the Federal Health Insurance Portability and Accountability Act of 1996 ("HIPAN'), the Standards for Privacy ofIndividually Identifiable Health Information ("Privacy Rule"), 45 CFR Parts 160 and 164, Privacy Act of 1974, and the Fourth and Fifth Amendments to the United States Constitution under the authority of Bivens v. Six Unknown Agents of the Federal Bureau of Narcotics, 403 U.S. 388 (1971) on behalf of himself and all other similarly situated against Sisters of S1. Francis Health Services, Inc. ("SSFHS"), Greater Lafayette Health Services, Inc. ("GLHS"), Advanced Receivables Strategy, Inc. ("ARS"), Perot Systems Corporation ("PSG') and Jane Doe.

Plaintiff Michael 1. Chaney has been a patient of Sisters of S1. Francis Health Services, Inc. and Greater Lafayette Health Services, Inc., one of more than two hundred sixty thousand (260,000) patients whose private personal information, which would include but not be limited to, name, address, social security number, and date of birth, was improperly, unlawfully, willfully and intentionally disclosed in at least three (3) ways: (1) through the access and removal of data files containing the private information of 260,000 patients from SSFHS and GLHS facilities by ARS, PSC and Jane Doe; (2) through the transfer of the data to external and unprotected disks and/or computers by Jane Doe; and, (3) through the possession of these disks and/or computers by third parties, the identities of whom may never be known. These disclosures were made' without Plaintiffs' knowledge or consent and violate the HIPAA Privacy Rule, 45 CFR Parts 160 and 164.

These disclosures were the direct and proximate result of Defendants' willful and intentional failure to establish and enforce appropriate safeguards to ensure the security and privacy of patient records and to protect against any known or anticipated threats or hazards to the security and integrity of these records in violation of HIPAA Privacy Rules, 45 CFR Parts 160 and 164.

Subsequent to learning of these disclosures, Defendants were deliberately indifferent in failing to take reasonable corrective action, including but not limited to, failure to provide prompt and accurate notification of the disclosures to the patients despite knowledge of the substantial risk of serious harm to the personal and financial security of the affected patients as a result of the disclosures.

Defendants' disclosures of Plaintiffs' confidential social security numbers also violated Plaintiffs' right to privacy and personal security of their social security numbers under the Fourth and Fifth Amendments ofthe United States Constitution.

As a result of the Defendants' acts and omissions in disclosing and failing to protect Plaintiffs' private personal information, including their social security numbers, Plaintiffs and those similarly situated have been placed at a substantial risk of harm in the form of identity theft and have incurred and will incur actual damages in an attempt to prevent identity theft by purchasing services to monitor their credit information. The remedies sought include declaratory and remedial injunctive relief, damages and reasonable attorneys' fees and costs.II. JURISDICTION AND VENUE

The jurisdiction of this Court is invoked pursuant to HIPAA Privacy Rules, 45 CFR Parts 160 and 164, HIPAA, Bivens, diversity of citizenship pursuant to 28 U.S.c. § 1332(a)(1) and 28 U.S.c. § 1332(d)(2), as the amount in controversy exceeds Five Million Dollars ($5,000,000).

Venue is appropriate pursuant to 28 U.S.c. § 1391(a).III. PARTIES

Plaintiff Michael 1. Chaney is an adult male citizen of the State of Indiana residing in Greenwood, Johnson County, Indiana and at all times relevant to this Complaint, received medical services provided by the Defendants Sisters of St. Francis Health Services, Inc. and/or Greater Lafayette Health Services, Inc.

Defendant Sisters of St. Francis Health Services, Inc. is an Indiana non-profit corporation, principally located at 1515 Dragoon Trail, P.O. Box 1290, Mishawaka, Indiana 46546 and whose Indiana resident agent is Sister Jane Marie Klein, O.S.F., 1515 Dragoon Trail, Mishawaka, Indiana 46544 and at all times relevant to this Complaint, provided medical services to patients in the State ofIndiana and the State of Illinois.

Defendant Greater Lafayette Health Services, Inc. is an Indiana non-profit corporation, principally located at 2400 S Street, Lafayette, Indiana 47904 and whose Indiana resident agent is Jane M. Klein, 1515 Dragoon Trail, Mishawaka, Indiana 46544 and at all times relevant to this Complaint, provided medical services to patients in the State of Indiana and the State ofIllinois.

Defendant Advanced Receivables Strategy, Inc. is a Delaware corporation, doing business in the State of Indiana, principally located at 2300 West Plano Parkway, Plano, Texas 75075 and whose Indiana resident agent is CT Corporation System, 251 East Ohio Street, Suite 1100, Indianapolis, Indiana 46204 and at all times relevant to this Complaint, provided services to Defendants Sisters of S1. Francis Health Services, Inc. and Greater Lafayette Health Services, Inc., which included access to patient billing and personal information.

Defendant Perot Systems Corporation is a Delaware corporation, doing business in the State of Indiana, principally located at 2300 West Plano Parkway, Plano, Texas 75075, and whose Indiana resident agent is CT Corporation System, 251 East Ohio Street, Suite 1100, Indianapolis, Indiana 46204 and at all times relevant to this Complaint, provided services to Defendants Sisters of S1. Francis Health Services, Inc. and Greater Lafayette Health Services, Inc., which included access to patient billing and personal information.

Defendant Jane Doe, is an adult female, and is being sued individually and as an employee of Defendants Advanced Receivables Strategy, Inc. and Perot Systems Corporation. Upon information and belief, Jane Doe engaged in conduct tantamount to willful and intentional disclosure of and failure to protect the private personal information of Plaintiff Michael J. Chaney and two hundred sixty thousand (260,000) Indiana and Illinois patients of Sisters of S1. Francis Health Services, Inc. and Greater Lafayette Health Services, Inc.IV. STATEMENT OF FACTS

In order to receive medical services from SSFHS and GLHS, the Plaintiffs were required to provide their private personal and medical information, including but not limited to socialsecuritynumbers,date ofbirth,and servicesrendered.

On or about October 16, 2006, ASR, a PSI company, sent correspondence to Plaintiff Michael 1. Chaney and to potentially 260,000 patients of SSFHS and GLHS advising that their private personal information had been disclosed.

ASR, a PSI company, was engaged by SSFHS and GLHS to improve hospital billing process and upon information and belief, its employee, Jane Doe, downloaded billing data containing names and/or social security numbers from SSFHS and GLHS computer systems onto laptop and/or CDs and took the same to her home. ASR contends that Jane Doe allegedly purchased a new computer bag, packed her laptop and CDs into it and the next day decided the bag was too small and returned it to the store for a refund, failing to remove the CDs from the bag. ASR further contends that three (3) days later, the bag containing the CDs was purchased by a third party who contacted SSFHS and returned the CDs to SSFHS.

Jane Doe was able to access computer files containing private personal information of 260,000 patients and copy the files from SSFHS and GLHS computer systems onto external disks and/or her personal computer, and remove the same from the ASR and PSC facilities, which files are not believed to be encrypted or password protected and can be easily accessed and duplicated.

That upon learning of the above-described disclosures, the Defendants, and each ofthem, unreasonably delayed reporting the disclosures to the patients despite knowledge ofthe imminent and substantial risk of serious harm to the personal security of the affected patients, by first having their "legal counsel and auditors thoroughly investigate the matter".

The Plaintiffs were advised by ASR to notify the major credit reporting agencies to place a fraud alert on your consumer credit file" and to "beware of any phone calls, e-mails and other communication". As a consequence of Defendants' disclosures, 260,000 patients of SSFHS and GLHS are at a heightened threat of identity theft.

As a result of the Defendants' willful and intentional failure to establish appropriate safeguards to ensure the security and confidentiality of patient records and to protect against any anticipated threats or hazards to the security and integrity of these records in violation of the HIPAA Privacy Rules, 45 CPR Parts 160 and 164.

As a direct and proximate result of the Defendants' acts and omissions In disclosing and failing to protect the Plaintiffs' private personal information, including but not limited to their social security numbers, the Defendants have violated the HIPAA Privacy Rules, 45 CPR Parts 160 and 164.v. CLASS ALLEGATIONS

Plaintiffs maintain this action on behalf of themselves and all individuals whose private personal information, including social security numbers, were disclosed by Defendants sometime in July, 2006.

The members ofthe putative class are so numerous, believed to be as many as two hundred sixty thousand (260,000), such that joinder of individual claims is impracticable. Moreover, there are significant questions of fact and issues of common law to the members of the putative class. These issues include whether Defendants failed to establish appropriate administrative, technical, and physical safeguards to ensure the security and confidentiality of records and to protect against known and anticipated threats or hazards to the security and integrity of these records, violations of HIPAA and whether such failures were willful and intentional and, finally, whether they incurred actual damages as a consequence.

Plaintiff's claims are typical of the claims of the putative class and all members of the putative class have been adversely affected and damaged in that their private information has been compromised.

The proposed class representative will fairly and adequately represent the putative class because he has the class members' interest in mind, their individual claims are co-extensive with and identical to those of the class and because they are represented by qualified counsel experienced in class action litigation.

A class action in this instance is superior to other available methods for a fair and efficientadjudication oftheseclaimssinceindividualjoinder oftheclaims ofallmembers ofthe putative class is impracticable. Most members of the class would be without the financial resources necessary to pursue this matter and, further, to litigate each of the Plaintiffs' claims separately would result in an undue burden upon the Court in which the individualized cases would proceed. Class action procedures would allow for far fewer management difficulties in matters of this type and does provide for unique benefits of unitary adjudication, economy of scale and comprehensive supervision over the entire matter in a single court.

The putative class can be certified pursuant to Rule 23(b)(l) of the Federal Rules of Civil Procedure because inconsistent or varying adjudications with respect to individual class members would establish incompatible standards ofconduct for the Defendants to follow.

The putative class may be certified pursuant to Rule 23(b)(3) of the Federal Rules of Civil Procedure because questions oflaw and fact common to class members will predominate over questions affecting individual members and a class action is superior to other methods for fairly and efficiently adjudicating the controversy and causes of actions described in the Complaint.
VL STATEMENT OF CLAIMS COUNT ONE

Rhetorical paragraphs 1 through 29, inclusive, of Plaintiff's Complaint are incorporated here by reference as if fully set forth.

The foregoing acts and omissions of Defendants constitute an unauthorized, non-consensual, and inappropriate disclosure of Plaintiffs' social security numbers in violation of HIPAA Privacy Rules, 45 CFR Parts 160 and 164.COUNT TWO

Rhetorical paragraphs 1 through 31, inclusive, of Plaintiffs Complaint are incorporated here by reference as if fully set forth.

The foregoing acts and omissions of the Defendants constitutes a violation of HIPAAPrivacy Rules, 45 CFR Parts 160 and 164, to maintain their private personal records in complete privacy.

Rhetorical paragraphs I through 33, inclusive, of Plaintiff's Complaint are incorporated here by reference as if fully set forth.

The foregoing acts and omissions of the Defendants constitute a willful and intentional failure to establish appropriate safeguards to ensure the security and privacy of Plaintiffs' patient records against known and potential threats or hazards to the security and integrityofthePlaintiffs' privatepersonalrecordsinviolation ofHIPAA Privacy Rules, 45 CFR Parts 160 and 164.COUNT THREE

Rhetorical paragraphs 1 through 35, inclusive, of Plaintiff's Complaint are incorporated here by reference as if fully set forth.

The foregoing acts and omissions of the Defendants, and each of them, constitute a violation of Plaintiffs' right to privacy in their social security numbers under HIPAA Privacy Rules, 45 CFR Parts 160 and 164 and the Fourth and Fifth Amendments to the United States Constitution.COUNT FOUR

Rhetorical paragraphs 1 through 37, inclusive, of Plaintiff's Complaint are incorporated here by reference as if fully set forth.

The foregoing acts and omissions of the Defendants, and each of them, deprived Plaintiffs of their right to procedural and substantive due process under the Fifth Amendment to the United States Constitution.VIL PRAYER FOR RELIEF WHEREFORE, Plaintiff, Michael 1. Chaney, onbehalf ofhimselfand all others similarly situated, hereby demand judgment against the Defendants, as follows: a.
For a declaration that Defendants' willfully and intentionally failed to establish appropriate safeguards to ensure the security and privacy of the patients' records and to protect against known and anticipated threats or hazards to the security and integrity ofthose records in violation ofInPAA Privacy Rules, 45 CFR Parts 160 and 164and the Fourth and Fifth Amendments to the United States Constitution. b.
Forpreliminaryinjunctiverelieftoensurethesecurityandprivacy ofthepatients' records. a.
For reparative injunctive relief under Bivens requiring Defendants to take necessary measures to safeguard against the serious harm attendant to the improper disclosure/theft of confidential information including an identity and/or credit monitoring program and a preemptive internet search service for the benefit of Plaintiffand the proposed class under the Court's supervision. b.
For an award of damages for Plaintiff and each affected class member in an amount of no less than Five Thousand Dollars ($5,000). c.
For an award of reasonable attorney fees and costs incurred by Plaintiff and the members ofthe putative class in prosecuting this matter. d.
For an award of such other relief in law and equity to which Plaintiff and the members ofthe putative class may be entitled under the premises.
Respectfully submitted,

-ij-
Scott A. Benkie, #4327-49 Douglas A. Crawford, #11170-71 BENKIE & CRAWFORD 47 South Meridian, Suite 305 Indianapolis, IN 46204 Phone: (317) 632-4448 Fax: (317) 637-8555 Email: SABe!1kie@aoLcom :Qt\~rawfo-s~d60@aotcom

Edit | Back
Sponsored By: Rbs Zecurion
Use of the DataLossDB, and its exports, RSS feeds, reports, or other materials produced on this site by the Open Security Foundation requires authorization and potential licensing arrangements. For more information, please e-mail [email protected] with a brief summary of how you would like to use this information; product, service, research, etc.
© 2005 - 2014, Open Security Foundation, All Rights Reserved.