The Daily

Data Breach: A Patients Rights Revolution

“…patients have to learn to diagnose themselves before they know which specialist to call.”

The Problem

On November 13, 2015, the Federal Bureau of Investigation notified 21st Oncology (based here in Ft. Myers) to that over two million patients’ confidential records and data in 21st Century’s possession and control had been collected and sold by criminals using the Internet.[1] 21st Century’s patients were not notified of the breach for three months or more. And this was not the first data breach at 21st Century: in 2013, a 21st Century employee caused a similar data breach.[2] 21st Century also recently settled a False Claims Act filed by the Federal Government for almost twenty million dollars ($20,000,000.00).

On December 19, 2015, a truck carrying whole, un-redacted and confidential patient records from Radiology Regional on Fowler Avenue in Ft. Myers dumped nearly a half million patients’ records onto the windy, dry street where they were blown around the city on the days that followed.[3] Despite Radiology Regional being immediately aware of the data breach, the half million patients were not notified of the breach by Radiology Regional for several months.

The Law

Since the passage of Federal legislation, HIPAA (the 1996 Health Insurance Portability and Accountability Act – the most sweeping health change since ERISA) and ACA (the 2010 Affordable Care Act, often referred to as ‘Obamacare’), tremendous resources and energy were transferred into the collection, maintenance and protection of electronic medical records (EMR). These records almost invariably contain sensitive financial and identity data, as well as confidential medical records. Therefore, their protection from breach is an understandable priority. Notwithstanding the emphasis on EMR safety, the system only works when honored by best practices that are laid out by statute and not circumvented.

Breach of contract claims will usually arise out of documents and agreements contained in the patient records of the facility. These signed agreements typically incorporate HIPAA by reference if not by specific citation. They can form the basis for pleading a simple cause of action for breach of a written agreement to comply with applicable law by maintaining the privacy of the Plaintiff’s data.

Florida’s Constitution also guarantees our privacy and provides varying common law remedies for invasion of privacy in State Court. See, Doe v. Beasley Broadcast Group, 105 So. 3d 1 (Fla. 2nd DCA 2012).

While HIPAA and Florida’s version of that Federal Law (FIPAA) do not provide a civil remedy, they are evidence of best practices and standard of care that provide a foundation for jury instructions on negligence. The laws also incorporate the Federal and State Unfair Trade Practices Acts that provide civil remedies that include cost and fee shifting provisions.

In addition, Florida recognizes the statutory (including administrative rules) duty of health care providers to properly maintain medical records. See, Public Health Trust of Dade County v. Valcin, 507 So. 2d 596 (Fla. 1987). While Valcin has been clarified (it should no longer be used to support an independent cause of action for spoliation), the doctrine of spoliation is alive and well in the State. Valcin’s burden of proof shifting presumptions are a powerful tool for claimants where the health care provider negligently loses, destroys, or discards records that prejudice the ability of the Plaintiff to prosecute their claim fully. It can and will likely be argued by data breach victims that releasing the protected records or allowing unpermitted access to the records can also result in a Valcin instruction under proper circumstances.

The Damage

When the confidential medical and financial data of almost three million local patients is breached – that is a matter of serious concern for the entire community. Many of these patients have been subjected to life altering identity theft and fraud since these data breach incidents. False IRS returns were created for the purpose of stealing refunds. Funnel Accounts were created for the purpose of running stolen and illegal funds and purchases through. False credit and bank accounts were fraudulently created – changing innocent lives.

The Solution

More than ever, health care consumers must diligently protect their health and rights. For too long, Florida health care reimbursement and delivery systems operated in opaque secrecy. Informed consumers need to see the charges billed and the record of payment. They need to understand the relative position of collateral source payors and why certain Hospitals and Doctors choose to route their payments through the payment channel the way they do. Hospitals need to clearly and simply identify for patients how their insurances are being handled, what the Hospital is billing, who they are billing it to and whether there are more cost efficient alternatives. In many cases, local Hospitals deliberately avoid charging valid insurance if they think they believe they can recover more elsewhere by ignoring available insurance.

Patients have a right under Amendment 7 in Florida’s Constitution to know about their health care provider’s history of incidents. This right needs to be respected in the spirit of honesty and forthrightness that assists the informed patient consumer. Like billing practices, patients need to be armed with information about the security of their information and any data breaches that make their information vulnerable. Without all of the information described above, patients cannot exercise their rights as consumers properly in the health marketplace.

Finally, patients need to protect and enforce their rights when they are violated. After decades of Florida ‘tort reform’, limiting patient rights – this may be rightly perceived as a ‘Patient Rights Revolution’. The Supreme Court opinion in Estate of McCall v. United States, 134 So. 3d 894 (Fla. 2014) reversing the legislatively imposed caps on medical malpractice damages may just be the beginning of that revolution.




Bill Thompson, Plaintiffs’ counsel of record in the data breach class actions Bellows v. Radiology Regional, Florida Circuit Court Twentieth Judicial Circuit (Fort Myers) 16-CA-000629 and Trelease v. 21st Century Oncology, United States District Court (Middle District, Fort Myers) 216-CV-258-FTM-99-MRM. He was also the solo trial and appellate counsel in the invasion of privacy claim appealed to Florida’s Second District Court of Appeals prior to settling for a confidential amount, Doe v. Beasley Broadcast Group, 105 So. 3d 1 (Fla. 2nd DCA 2012).


[1] Office of Inadequate Security, March 4, 2016;

[2] Id., September 24, 2013;

[3] Ft. Myers News Press, Melanie Payne, March 2 and March 9, 2016.