Seattle Children’s Hospital Lawsuit Dismissed and Atlanta Women’s Health Group Lawsuit

Seattle Children’s Hospital Website Tracking Technology Lawsuit Dismissed with Prejudice

A Washington court dismissed with prejudice the class action lawsuit filed against Seattle Children’s Hospital (SCH) concerning its usage of pixels and other tracking technologies on its web pages. Just like other hospitals, SCH put pixels on its website to monitor user actions on the website. Using the tracking technologies allowed the hospital to collect information on the way the website was utilized to enhance the site and patient usage. Based on a user’s activities on the website, the pixels could have obtained identifiers and medical data, which was transmitted to third parties.

A lawsuit was filed by parents who had utilized the website claiming the use of pixels is a violation of the Washington Privacy Act, Washington Uniform Health Care Information Act, and Washington Consumer Protection Act. They claimed a privacy violation, an unjust enrichment, a breach of implied contract, and a conversion. SCH contended that the data collected by the pixels was not confidential health data and that users had agreed on its privacy policy terms, and by doing so, had agreed to share anonymous information with third parties. If identifying data was shared with third parties, it only happened since the plaintiffs had permitted third parties like Facebook to put that data on their web browsers.

In the legal action, the plaintiffs claimed that there were sensitive communications on the SCH website, and health data associated with those communications was sent to third parties. SCH explained that the sensitive communications that were referred to by the plaintiffs could only occur on its patient website because there were no pixels and other tracking systems on the portal. The Washington court agreed with SCH and dismissed with prejudice all of the plaintiffs’ claims.

Atlanta Women’s Health Group Faces Lawsuit Over 2023 Ransomware Attack

A class action lawsuit was filed against Atlanta Women’s Health Group over an April 2023 cyberattack that allowed an unauthorized third party to acquire access to its servers as well as the sensitive information of its patients. On April 12, 2023, Atlanta Women’s Health Group uncovered the cyberattack and conducted a forensic investigation that confirmed the exposure of patients’ protected health information (PHI). The types of breached data included names, patient ID numbers, birth dates, and other data that may be included in health records. The exact types of data that were viewed or stolen cannot be determined, therefore all individuals who were potentially affected received breach notifications.

The lawsuit M.T. vs. Atlanta Women’s Health Group P.C. was submitted in the U.S. District Court for the Northern District of Georgia Atlanta Division. According to the allegations, the OB/GYN healthcare provider did not implement adequate data security procedures and breached its responsibilities enforced by law. Because of those failures, unauthorized people gained access to its system and stole highly sensitive patient information. If proper cybersecurity measures had been applied, the attack and data breach might have been averted.

The lawsuit additionally claimed that although Atlanta Women’s Health Group notified the Department of Health and Human Services Office for Civil Rights regarding the breach in 60 days after discovery, email notifications to the plaintiff and class members regarding the attack were issued in 10 months and there was no explanation regarding the delay. The letters mentioned that all patients were informed concerning the cyberattack as a safety precaution. If that is the reason for sending the notifications, why wait 10 months to issue them? The lawsuit likewise mentioned that the notification letters failed to make clear when the attack happened but Atlanta Women’s Health Group reported that that the hackers had erased the stolen information. No proof was presented that indicates permanent deletion of the data and copies of the data that the attackers made.

The lawsuit states the plaintiff and class members were exposed to harm by means of misuse of their PII and PHI, were further exposed to a continuing significant, increased, and impending risk of financial scam and identity theft for a long time, and have suffered many actual injuries and losses. The lawsuit claims breach of fiduciary duty, invasion of privacy/intrusion upon seclusion, negligence, and negligence per se, and wants a jury trial, class action certification, and declaratory and injunctive relief. The legal representatives of the plaintiffs are Todd McClelland of Sterlington, PLLC; MaryBeth V. Gibson of the Gibson Consumer Law Group, LLC; Michael Sullivan, Gabriel Knisely, and David H. Bouchard of Finch McCranie, LLP.

About Christine Garcia 1201 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA