Arkansas AG Filed Legal Action Against Eastern Ozarks Regional Health for Patient Data Breach

Arkansas Attorney General Leslie Rutledge reported about the legal action filed against Country Medical Services Inc. for mishandling the sensitive personal data and protected health information (PHI) of a large number of individuals. Country Medical Services is the previous operator of Eastern Ozarks Regional Health System located in Cherokee Village. The company owners were Robert Becht from Hartsville, TN, and Theresa Hanson from Deland, FL.

The 40-bed hospital of Eastern Ozarks Regional Health was permanently shut down in December 2004. Country Medical Services managed the hospital for 9 years, but an investigation conducted by the state Department of Health discovered about 3 dozen potential Emergency Medical Treatment and Labor Act violations because the hospital cannot deliver emergency services. In 2004, instead of facing financial fines, the hospital quickly ended its hospital license.

After 6 years, the property was given to the state because the owners did not pay the taxes. The office of the Attorney General assessed the property and discovered boxes of documents in the property that included sensitive personal information. Unauthorized persons had acquired access to the property as well as files kept in the facility seemed to have been looking at, possibly by persons trying to find sensitive personal information. At this point, it is uncertain how many previous patients’ sensitive data were compromised and possibly stolen. Files left unsecured at the facility included a variety of sensitive worker and patient data, such as names, contact details, driver’s license numbers, Social Security numbers, financial account data, medical data, and biometric information.

Based on the legal action, which was filed in Sharp County Circuit Court, the investigation discovered no proof that indicates the hospital had taken any acceptable measures to permanently remove or protect sensitive documents. The inability to protect the confidentiality of patient information violates the Health Insurance Portability and Accountability Act (HIPAA); nevertheless, as is normally the case, legal action is being undertaken for comparable state laws violations. The lawsuit claims the defendants violated the Arkansas Deceptive Trade Practices Act (ADTPA) and the Arkansas Personal Information Protection Act (PIPA). Therefore, Country Medical Services and its owners are currently facing civil penalties of as much as $10,000 per violation of the ADTPA and PIPA.

People must have confidence in their healthcare companies and employers to secure their personal data. Eastern Ozarks Regional Health System betrayed that confidence and left patients and workers susceptible to fraud and identity theft. So, the hospital along with its owners are accountable.