SANTA ROSA -- A class-action lawsuit has been filed against St. Joseph Health System, which operates Santa Rosa Memorial, Petaluma Valley and Queen of the Valley hospitals, for allowing private patient data to be searchable online for 31,800 patients across the system's California hospitals, including about 10,000 patients locally.
The suit, filed last week in Sonoma County Superior Court by two allegedly affected patients, is seeking $1,000 per patient, which would total $31.8 million for all the California patients involved, according to the complaint. The suit claims the Orange-based health system was "negligent" and that it "unlawfully failed to maintain and preserve the confidentiality" of patients.
The lawsuit is one of five filed against the health system on the accidental release of information, according to a spokesman for St. Joseph Health.
St. Joseph Health first reported the potential data breach in early February, sending notices to 6,235 patients of Santa Rosa Memorial and another 4,263 patients from Queen of the Valley. Two patients from Petaluma also were notified.
The remainder of affected patients were in Southern California hospitals operated by the health system: Mission Hospital and St. Jude Medical Center, both in Orange County.
At the time of the breach, the health system said the information that was searchable did not include full medical records and that Social Security numbers, patient addresses and financial data were not disclosed.
What was visible by search included patient data such as patient name, body mass index, smoking status, blood pressure, lab results, diagnoses, allergies, demographic info including spoken language, ethnicity, race, gender, birth date and advance directive, which tells health care providers patient wishes for treatment and decision-making.
The suit was filed by Deanna DeBaeke and Loba Moon, who say they were both patients in Sonoma County. According to the suit, Ms. DeBaeke was a patient at Santa Rosa Memorial in April 2011. Earlier this year, she ran a search of her name on Google from her cell phone. Among the results she claims she found were three reports from the health system related to her treatment, including her patient account number and admission or readmission dates, among other information.
Ms. Moon said she was a patient at Memorial in 2011. She received notification from the health system and found that her information was searchable online for as long as seven months, according the the court complaint.
In a statement, St. Joseph said it could not comment on the specifics of pending litigation.
"We can tell you, however, that there are several important points to make clear about this potential disclosure of patient information," spokesman Brian Greene said. "This information was in reports and did not entail medical record, which remains secure."
The health system emphasized that patient addresses, Social Security numbers and financial information were not included in the reports.
"The data was not readily accessible on the Internet and there is no indication at this time that the information was used by unauthorized persons," the health system said. "In keeping with our fundamental commitment to the security of our patients and their information, we worked to secure the data as soon as the potential for disclosure was discovered."
The complaint alleges that personal and medical information was in unencrypted electronic reports that were saved in a health system internal database between February and August 2011.
"The electronic reports were not encrypted, were not password protected and did not contain or use any other form of electronic protection," according to the suit.
When the health system notified patients in February, it acknowledged that security settings were "incorrect" on the information. The health system said it was taking steps to prevent such a potential data breach from happening again.
"We have reviewed and revised our processes and conducted an intensive audit on the situation to ensure that it does not happen again," Mr. Greene said in the statement.
St. Joseph Health set up a toll-free number for patients affected (877-430-5623) and is providing free identity-theft protection services to them as a precautionary measure.
The two Sonoma County plaintiffs are being represented by San Francisco law firm Keller Grover LLP.
