The Arkansas Attorney General filed a lawsuit against the Eastern Ozarks Regional Health System in Cherokee Village, alleging it failed to protect the personal and health information of its patients after closing its business operations.
Although it appears the case is referencing physical files, the same measures employed for digital technologies are equally important in the healthcare space from a compliance perspective. Healthcare still heavily relies on paper documentation, including fax mechanisms, far more than other industries.
The same compliance standards used by OCR in the digital space, equally apply to physical files. The lawsuit should serve as a reminder of the importance of physical security controls, as well as the potential for state regulation efforts even when the OCR may not pursue an audit.
In the case of Eastern Ozarks, the hospital abruptly closed in 2004 and allegedly left patient and employee files abandoned in the building. The property transferred to the state in 2010, after the owners failed to pay taxes on the facility.
Last year, the attorney general’s office visited the property and found possible violations of the Personal Information Protection Act (PIPA) and the Arkansas Deceptive Trade Practices Act. ADTPA is the statutory authority for the attorney general to enforce deceptive and unlawful business practices.
Enacted in 2005, PIPA is designed to ensure businesses interacting with consumer data are leveraging reasonable security practices. The law requires all entities to “take all reasonable steps to destroy or arrange for the destruction of a customer’s records within its custody or control containing personal information.”
The lawsuit accuses Eastern Ozarks of engaging in “unlawful conduct harmful to Arkansas consumers by failing to take reasonable measures to protect their patients’ and employees’ personal information and by failing to properly dispose of said information.”
Specifically, the attorney general’s office found that the hospital “facility had been vandalized and was in serious disrepair,” and many of the abandoned files found throughout the property “appeared to have been examined, likely by trespassers.” In one instance, it appeared that someone viewed the information and copied down the contents.
The attorney general estimated several thousands of files were left behind in the unsecured care sites and storage buildings, given that the hospital and related clinics were in operation for nine years. The files contained contact information, Social Security numbers, driver’s licenses, account information, medical information, and biometric data.
The lawsuit also asserts there may be patient and employee files on the property that have yet to be discovered.
“Consumers must be able to trust their healthcare providers and employers to protect their personal information,” said Attorney General Leslie Rutledge, in a statement. “Eastern Ozarks Regional Health System betrayed that trust and left patients and employees vulnerable to scams and identity theft. I am holding the hospital and its owners accountable.”
The “consumer protection action” lawsuit alleges Eastern Ozarks failed to properly dispose of or properly secure patient and employee documents prior to closing operations, in violation of state regulations. The hospital owners are facing up to $10,000 for each violation of PIPA and ADTPA.
Along with the lawsuit, the attorney general is seeking a preliminary injunction to remove the files and documents containing personal information from the property to be securely stored for the length of the pending lawsuit.