The Laws Regulating Health Data

A class action against the eye-care provider Nationwide Vision and Vision plan provider Sightcare has been settled for $3.45M.

The lawsuit arose out of a 2021 data breach that compromised the personal information of thousands of its users. The data of current and former patients, customers, staff, members, and covered dependents was compromised between April 20 and May 17, 2021.

A cyberattack by a third-party targeted email and computer systems and put personal information at risk. An investigation into the breach revealed that full names, dates of birth, addresses, social security numbers, taxpayer numbers, driver's license numbers, financial information, medical information, prescriptions, health insurance information, and billing information may have all been obtained in the breach.

The lawsuit alleged the defendants failed to protect patients and staff. The plaintiffs claim consumer protection laws were breached due to negligence. And, according to the complaint, defendants did not have enough safeguards in place to adequately protect sensitive data

Moreover, defendants are accused of failing to provide timely and accurate notices of the breach. Emma Crabtree, "Americans to get $300 payment from $3.45m pot after company 'failed to protect them' – certain customers will get $5,400" the-sun.com (Jul. 13, 2024)

Commentary

Depending on your industry, adherence to information security and data breach notification requirements are included in the Privacy Act of 1974, the Federal Information Security Management Act, the Office of Management and Budget Guidance, the Veterans Affairs Information Security Act, the Health Insurance Portability and Accountability Act, the Health Information Technology for Economic and Clinical Health Act, the Gramm-Leach-Bliley Act, the Federal Trade Commission Act, and the Fair Credit Reporting Act. Provisions of the Computer Matching and Privacy Protection Act of 1988 and Section 208 of the E-Government Act of 2002 should also be noted. Various federal regulatory bodies or agencies are charged with the enforcement of such rules.

Moreover, legislation has been enacted by all 50 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands that require private entities or government agencies to notify individuals who have been impacted by security breaches that may compromise their personally identifiable information. Breaches of these acts may be brought by the attorneys general of each state, or in some cases, by private action.

And, employers with a hemispheric or global presence should be aware of the requirements and penalties found in Canada's Digital Privacy Act (DPA)/Personal Information Protection and Electronic Documents Act (PIPEDA) and the European Union's General Data Protection Regulation (GDPR).

Finally, your opinion is important to us. Please complete the opinion survey:

Product

Articles

The Fallout From Tortious Interference With Healthcare Employment Agreements

A jury awarded $2.05M to an Indiana physician for tortious interference with contract and other claims. We discuss and breakdown the claim of tortious interference with contract. ?

Health Plan Administrators Under Questioning For Rising Fees And Inflated Costs

Plaintiffs allege a bank's plan charges participants more for generic prescription drugs than other plans that are widely available at lower prices. We examine.

Has Your Organization Been Deepfake Scammed? You Make The Call

Over half of businesses in the U.S. and U.K. have been targeted by financial scams powered by deepfake technology. Has your organization been deepfake scammed? You make the call.

Investigate, Don't Retaliate, When Wage Complaints Are Made

Retaliation prevention is key when employees complain about wage and hour practices. We examine the importance of investigations.

Create Audit "Footprints" To Help Prevent And Flag Embezzlement

The bookkeeper for a family-owned business stole thousands of dollars by forging checks and altering financial records. Learn about prevention tips.