The Daily

DATA BREACH: A Patient Rights Primer

Published in the June Res Gestae.

Bill Thompson, Jr.

April 26, 2016

On November 13, 2015, the FBI notified 21st Oncology that over two million patients’ confidential records and data in 21st Century’s possession and control had been collected and sold by criminals using the Internet. 21st Century’s patients were not notified for three months or more. This was not their first data breach: in 2013, a 21st Century employee caused a similar data breach of their patient records. 21st Century also recently settled a False Claims Act filed by the Federal Government for almost twenty million dollars ($20,000,000.00).

On December 19, 2015, a truck carrying whole, unredacted, confidential patient records from Radiology Regional in Ft. Myers dumped nearly a half million (500,000) patients’ records onto the windy, dry street on Fowler Avenue where they were blown throughout the city. Despite Radiology Regional’s awareness of the data breach, the affected patients were not notified of the breach for several months.

Since the passage of HIPAA (the 1996 Health Insurance Portability and Accountability Act – the most sweeping health change since ERISA) and ACA (the 2010 Affordable Care Act, often referred to as ‘Obamacare’), health care providers were directed specifically by statutory, administrative and professional rules to collect, maintain and protect electronic medical records (EMR). These data and records invariably contain sensitive financial and identity data, as well as confidential medical records. Protection from breach is a mandated priority. The EMR safety system only works when honored by best practices that are laid out by statute – not circumvented or recklessly disregarded.

Breach of contract claims will usually arise out of documents and agreements contained in the patient records of the facility. These signed agreements typically incorporate HIPAA by reference if not by specific citation. They can form the basis for pleading a simple cause of action for breach of a written agreement to comply with applicable law by maintaining the privacy of the Plaintiff’s data.

Florida’s Constitution also guarantees our privacy and provides varying common law remedies for invasion of privacy in State Court. See, Doe v. Beasley Broadcast Group, 105 So. 3d 1 (Fla. 2nd DCA 2012).

While HIPAA and Florida’s version of that Federal Law (FIPAA) do not provide a civil remedy, they are evidence of best practices and standard of care that provide a foundation for jury instructions on negligence. The laws also incorporate the Federal and State Unfair Trade Practices Acts that provide civil remedies that include cost and fee-shifting provisions.

In addition, Florida recognizes the statutory (including administrative rules) duty of health care providers to properly maintain medical records. See, Public Health Trust of Dade County v. Valcin, 507 So. 2d 596 (Fla. 1987). While Valcin has been clarified (it should no longer be used to support an independent cause of action for spoliation), the doctrine of spoliation is alive and well in the State. Valcin’s burden of proof shifting presumptions are a powerful tool for claimants where the health care provider negligently loses, destroys, or discards records that prejudice the ability of the Plaintiff to fully prosecute their claim. It can and will likely be argued by data breach victims that releasing the protected records or allowing unpermitted access to the records can also result in a Valcin instruction under proper circumstances.

When the confidential medical and financial data of almost three million local patients is breached – that is a matter of serious concern for the entire community. Many of these patients have been subjected to life altering identity theft and fraud since these data breach incidents. False IRS returns were created for the purpose of stealing refunds. Funnel Accounts were created for the purpose of running stolen and illegal funds and purchases through. False credit and bank accounts were fraudulently created – damaging their credit and injuring innocent lives.

Florida health care reimbursement and delivery systems operate in opaque secrecy. Informed consumers need to see the charges billed and the record of payment. They need to understand the relative position of collateral source payors. They should know how and why hospitals and doctors route billing through the payment channel the way they do. Health care providers should clearly and simply identify how patient insurances are being handled. For instance, what the Hospital is billing, who they are billing it to and whether there are more cost efficient alternatives. In many cases, local Hospitals deliberately avoid charging valid insurance if they think they believe they can recover more elsewhere by ignoring available insurance.

Patients have a right under Amendment 7 in Florida’s Constitution to know their health care provider’s incident history. Like billing practices, patients have a right to be armed with information about the security of their information. Any data breaches deprive patients of their consumer rights in the health marketplace.

Patients must protect and defend their rights when they are violated. After decades of Florida ‘tort reform’, limiting patient rights. The Supreme Court opinion in Estate of McCall v. United States, 134 So. 3d 894 (Fla. 2014), reversing the legislatively imposed caps on medical malpractice damages, may be the beginning of a broader movement to secure those rights.


Bill Thompson, Plaintiffs’ counsel of record in the data breach class actions Bellows v. Radiology Regional, Florida Circuit Court Twentieth Judicial Circuit (Fort Myers) 16-CA-000629 and Trelease v. 21st Century Oncology, United States District Court (Middle District, Fort Myers) 216-CV-258-FTM-99-MRM. He was also the solo trial and appellate counsel in the invasion of privacy claim appealed to Florida’s Second District Court of Appeals prior to settling for a confidential amount, Doe v. Beasley Broadcast Group, 105 So. 3d 1 (Fla. 2nd DCA 2012).


1 Office of Inadequate Security, March 4, 2016;

2 Id., September 24, 2013;


4 Ft. Myers News Press, Melanie Payne, March 2 and March 9, 2016.