Kaiser Permanente lawsuit against former business associate dismissed, but are patient data still at risk?
If you’re a privacy professional or information security professional looking for a cautionary tale or a nightmare case to use in your presentations, this may be it. In reading about this case, however, keep in mind that there has never been any indication that patient misinformation was disclosed improperly or that it has been misused.
In July 2012, I noted a conflict between Kaiser Permanente (KP) and its former business associate, Surefile Filing Systems. The dispute arose after KP turned over hundreds of thousands of patient records from two of their facilities — Moreno Valley and West Los Angeles Medical Center – to Surefile to catalog and store. At the conclusion of the contracted work in July 2010, KP sent a termination notice and requested their records back. In response, Stephan and Lisa Dean, owners of Surefile, claimed that KP owed them more money for their services. A “Transfer Agreement” signed in July 2010 failed to resolve the dispute, and in March 2011, the parties signed a superceding Settlement Agreement to resolve the dispute. That agreement had Surefile accepting a $110,000 payment to resolve the dispute and drop all claims arising from the dispute. But that agreement also fell through a few months later when Dean informed KP that he was still in possession of ePHI. Over the next year, Dean continued to demand more money. He had also started filing complaints about KP with California and HHS, alleging that KP violated HIPAA by not always having written Business Associate Agreements in place before transferring patient records and by sending e-mails containing PII and PHI in unencrypted format.
Portraying his own business as somewhat sloppy (records were stored in a garage, files were on a computer in the family home, he used a Hotmail account without encryption, and his computers were infected with malware), Dean contacted the media to claim that KP’s patients’ and members’ records were at some risk as long as Surefile was in possession of them.
With Surefile still in possession of some records and unwilling to cooperate with KP to securely delete all ePHI and certify that they had done so, KP sued Surefile in October 2012. As part of the proceedings, Surefile filed a declaration with the court. Significantly, perhaps, their declaration cited a clause in the Settlement Agreement that incorporated the June 2009 BAA. The latter had a clause that if return or destruction of PHI was not “feasible,” Surefile could retain it, subject to the terms of the BAA to protect it and not disclose it. The declaration also stated, “Defendants have, with the plaintiff’s knowledge, been maintaining patient information for several years.” So more than two years after KP tried to get all their records back and/or deleted, Surefile was still in possession of records containing PHI and ePHI. On December 31, 2012, Dean informed the court and KP and he had deleted all the emails with ePHI.
According to Dean, KP wanted their own IT personnel or a third-party forensics team to examine Surefile’s computers and Dean’s Hotmail account (Dean’s Hotmail account was reportedly used for both communications with KP and for the family’s personal use). Surefile declined to voluntarily grant KP access to Surefile’s computers or the Hotmail account unless KP paid them hundreds of thousands of dollars over and above what they had already been paid, and KP sought a court order to get access to Surefile’s computers.
In January, the court refused to grant KP access to Surefile’s computers. In January, I posted an update on this blog.
Although the judge denied KP’s request for access to Surefile’s computers, the judge did grant KP a preliminary injunction that prohibited the Deans from disclosing any confidential patient information.
This week, Stephan Dean informed PHIprivacy.net that KP had dismissed their suit against Surefile, and that the judge had lifted the injunction and granted Surefile summary judgement. According to Dean, the court agreed with the Dean’s argument that the settlement agreement of March 2011 controlled and prohibited KP from suing Surefile for anything arising out of the dispute. KP had sought – and obtained – leave to file an amended complaint, but following a settlement conference on September 13, they dropped that idea.
Dean tells PHIprivacy.net that he feels KP tried to punish him for pointing out their failings. Not surprisingly, KP presents a different picture of the dispute. In a brief they filed for the settlement conference, they assert that at one point, Surefile demanded $8,000,000.00 to delete the emails – even after signing the March 2011 agreement accepting $110,000 as payment in full to resolve all claims.
Meanwhile, back at the regulators
While the matter was being litigated, there was still the matter of investigations by regulators. In December, in response to the complaint filed by Dean and following their own investigation, the California Department of Public Health found KP in violation of state law and demanded a corrective action plan. According to a spokesperson for KP contacted by PHIprivacy.net, CDPH cited the hospital for violation of 22 California Code of Regulations Section 70751 (b), which states:
(b) The medical record, including X-ray films, is the property of the hospital and is maintained for the benefit of the patient, the medical staff and the hospital. The hospital shall safeguard the information in the record against loss, defacement, tampering or use by unauthorized persons.
“Had KP sought approval from CDPH prior to engaging Surefile, we would not have been out of compliance,” the spokesperson informed PHIprivacy.net.
In response to the state’s finding, KP promptly developed a comprehensive corrective action plan that was implemented after CDPH accepted it. CDPH has not informed the hospital that it intends to seek a financial penalty, so the state-level action appears to be concluded.
On July 31, 2013 – more than one year after Stephan Dean filed a complaint against KP with HHS, he received a letter from HHS, telling him that they were opening an investigation. And although the KP spokesperson I spoke with today did not seem to be aware of this yet, on September 17, HHS closed its investigation without further action. The closing of the investigation, however, seems to rely, at least in part, on Dean’s declaration to the court that he had destroyed all e-mails and PHI. As noted below, that turned out not to be a wholly accurate statement. HHS also noted that KP had appropriate security policies in place and that the employee who sent ePHI in unencrypted format was no longer employed by them. They had also provided additional training to employees on their policies.
But Wait, There’s More…
In the process of preparing this update, PHIprivacy.net sought statements from Stephan Dean as well as from KP. As part of those communications, Dean informed PHIprivacy.net that Surefile intended to start contacting KP’s patients to inform them that their PHI had not been properly protected by KP:
We have decided to contact the patients. They have a claim against KP for a violation of the UCL. The emails sent without any safegaurds (sic) is a violation of HIPPA (sic). KP for over two years had a practice of this.
According to Dean’s statement to PHIprivacy.net, the unencrypted e-mails contained patients’ names, addresses, Social Security numbers, doctors’ names, and admission dates. If the patient’s record was an adoption record, the e-mail would also include the mother’s name and phone number, he stated.
When asked how they could contact patients when they had declared in December 2012 they had deleted all emails with PHI, Dean replied:
We deleted all PHI in our care custody and control to the best of our knowledge. What we are saying is that if you were admitted in 2003 we had your record and it was on a data base (sic) we created for KP.
In May 2013 we found a disk containing 3296 lines of PHI plus 3 paper records. We contacted KP lawyer and returned to him. Shortly after he sent us a partial list of the data we sent him as part of a series of questions known as special interrogatories. We still have those court documents and plan on using them to contact patients.
PHIprivacy.net asked Dean to describe the database he referred to in his email and asked him why he was still in possession of it. He replied, via e-mail, that the database was for all Moreno Valley patients. According to Dean, the Settlement Agreement only required Surefile to preserve the data as per the BAA of June 2009. While Surefile deleted the electronic file on their computer, the data are still – somewhere – on approximately 10 missing discs, he claims. In previous correspondence, Dean had indicated that if they found the discs, their plan was “on letting KP know as well as the patient then we will destroy or return [to KP].”
Dean estimated that 100,000 KP members or patients have PHI on the 10 missing discs. And according to Dean, the records in the missing discs include the patients’ name, medical record number, date of birth, and admission dates.
In a subsequent e-mail, Dean tells PHIprivacy.net that they will contact at least three patients by phone.
In response, a KP spokesperson commented:
Mr. Dean provided a declaration on December 31, 2012 that he had no PHI and Mr. Dean testified on September 13 in open court that he possessed no PHI. Reports of Mr. Dean’s more recent statements to media flatly contradict those earlier statements, which he made under oath.
And if that wasn’t distressing enough to hear if you’re a covered entity, Dean also informed PHIprivacy.net that he contacted HHS again today to report the missing discs and to try to have them open a new investigation about that issue.
Will Dean really contact KP patients and members? We’ll have to wait and see.
But if you’re wondering whether Dean is concerned that he might be sued again, he’s tells PHIprivacy.net that he’s not, because KP’s lawsuit was dismissed with prejudice.
And if you’re wondering whether KP ever filed any complaints with the state or HHS against Surefile, the answer is that they haven’t, because there’s apparently no mechanism for a hospital or provider to file a complaint against a business associate.
So there you have it. In terms of lessons to be learned, I asked KP if having a signed BAA in place before the first transfer of records would have prevented some of the problems they subsequently encountered. They replied that it wouldn’t have:
It has become abundantly clear over the past many months; Kaiser Permanente could have only prevented Mr. Dean’s later misconduct by refusing to engage him for services in the first place.
N.B. This has been an extremely difficult case to write up and report on. PHIprivacy.net has made serious efforts to fact-check, but there may still be errors despite the site’s best efforts. If either of the parties have any corrections, I will post them as updates.