Atlantic.Net Blog

HIPAA Lawsuit: $1.4 Million Walgreens Love Triangle

Sam Guiliano
by Atlantic.Net (86posts) under HIPAA Compliant Hosting

This piece argues for independently audited self-encrypting HIPAA storage as a service for healthcare companies. We review it within the broad enforcement and liability context, proceeding as follows:

  • Data Privacy Monitor: Surge of fines expected this year
  • Indianapolis Star: $1.4 million Walgreens love triangle
  • Analysis: Case places further pressure on the industry
  • Defense: Walgreens perspective & vicarious liability
  • In it together: Business associates post-Omnibus

Data Privacy Monitor: Surge of fines expected this year

The year-over-year background and forecast for healthcare compliance in June looked bleak in both directions. That became clear when a prominent lawyer for HHS OCR spoke with a legal magazine at a professional conference, as reported by Data Privacy Monitor earlier this year.

According to DPM, Law360 interviewed the Chief Regional Counsel for the OCR, Jerome B. Meites,  at a Chicago meeting of the American Bar Association (ABA). He said that the year leading up to June would “’pale in comparison to the next 12 months.’”

That was not what the healthcare industry was hoping to hear, since the actions of the OCR were already considered excessively aggressive and punitive by some. Between June 1, 2013, and June 13, 2014, nine settlements were posted on the HIPAA “Wall of Shame” (actually the OCR’s Breaches Affecting 500 or More Individuals announcement page, which does go soft on noncompliant companies by listing violations chronologically backward) that totaled more than $10 million.

Mr. Meites said that based on upcoming settlements expected to be announced through 2014 and the first half of 2015, “‘I suspect that [the] number [from the last year] will be low compared to what’s coming up.’”

Indianapolis Star: $1.4 million Walgreens love triangle

Financial settlements with the federal government are just one side of the equation, though. Healthcare firms must also be concerned with civil lawsuits – especially since one recent high-profile judgment involving a major consumer brand places responsibility for employee wrongdoing with the employer.

The Court of Appeals in the state of Indiana decided on Friday, November 14, in favor of a customer whose health information was taken by a Walgreens pharmacist and shared with a third party – as reported by Tim Evans of the Indianapolis Star. Specifically, the pharmacist took the prescription information of her husband’s ex-girlfriend and shared it with her husband, who in turn shared it with at least three additional parties. The victim in the healthcare data love triangle was awarded $1.44 million.

According to the victim’s lawyer, Neal F. Eggeson, Jr., the decision was the first by an appellate court in the United States to place liability with a HIPAA covered entity (in this case Walgreens) for a data breach caused purely by employee wrongdoing.

Analysis: Case places further pressure on the industry

Eggeson and other healthcare attorneys said that the judgment will serve as a legal precedent for use in future court cases around the country.

The Indiana Court of Appeals decision effectively “‘[confirms] that privacy breach victims may hold employers accountable for the HIPAA violations of their employees,’” said Eggeson.

David Orentlicher, who co-heads the law and health center at Indiana University’s law school, noted that even though Walgreen Company has stated they plan to appeal this decision, it serves as a general warning to all healthcare companies that privacy must be maintained.

Orentlicher said that protection of sensitive medical details is critical because if patients can’t be reasonably certain that their data won’t be misused, they may avoid seeking care altogether.

Defense: Walgreens perspective & vicarious liability

James W. Graham, writing on behalf of Walgreens, described what the corporation believes to be unfair about the decision: the pharmacist who unethically accessed and shared the health records “was aware of our strict privacy policy and knew she was violating it.” Graham said that the drugstore chain did not believe that the law should make a company responsible for the misdeeds of a single worker.

The November verdict was in response to a request from Walgreens to overturn a July 2013 case decided in favor of Abigail Hinchy, the ex-girlfriend, a customer of the 6269 W. 38th St. location in Indianapolis.

Walgreens was dealt a sound and swift blow by the Court of Appeals. Judge John Baker stated in a unanimous verdict that the Walgreens pharmacist, Audra Withers, had disregarded “one of her most sacred duties” when she looked at the details within the customer’s account and provided her findings to an unauthorized individual (the husband).

Orentlicher noted that when Walgreens appeals at the Indiana Supreme Court, the idea of “vicarious liability” will be central to the debate. In the case of a workplace that made every effort to properly train its workers, the court sometimes places accountability with the employer nonetheless – because it made the decision to employ that particular individual.

In it together: Business associates post-Omnibus

Prior to the release of the Final Omnibus Rule in 2013, business associates were not held immediately responsible for healthcare privacy and security by the federal government. Now all that has changed. According to the American Academy of Orthopaedic Surgeons, the adjustments to the law impact any individual or organization that handles protected health information (PHI). Today, business associates such as Atlantic.Net are “directly liable for compliance.”

With a complex and refined privacy and security background that spans two decades, we are able to provide a broad range of HIPAA Hosting solutions. Many clients benefit from our self-encrypting storage plans, in which the entire hard drive is encrypted via a symmetrical key held in a separate location from the CPU (isolating it from any dangers of memory corruption).   We offer our HIPAA Servers and blazing fast Cloud Servers with a 100 percent uptime guarantee.

Start Your HIPAA Project with a Free Fully Audited HIPAA Platform Trial!

HIPAA Compliant Compute & Storage, Encrypted VPN, Security Firewall, BAA, Offsite Backups, Disaster Recovery, & More!

Start My Free Trial

Looking for HIPAA Compliant Hosting?

We Can Help with a Free Assessment.

  • IT Architecture Design, Security, & Guidance.
  • Flexible Private, Public, & Hybrid Hosting.
  • 24x7x365 Security, Support, & Monitoring.
Contact Us Now!
Stevie Gold Award Med Tech Award

SOC Audit HIPAA Audit HITECH Audit

Case Studies

White Papers


HIPAA Partners

Recent Posts

Get started with 12 months of free cloud VPS hosting

Free Tier includes:
G2.1GB Cloud VPS Server Free to Use for One Year
50 GB of Block Storage Free to Use for One Year
50 GB of Snapshots Free to Use for One Year

New York, NY

100 Delawanna Ave, Suite 1

Clifton, NJ 07014

United States

San Francisco, CA

2820 Northwestern Pkwy,

Santa Clara, CA 95051

United States

Dallas, TX

2323 Bryan Street,

Dallas, Texas 75201

United States

Ashburn, VA

1807 Michael Faraday Ct,

Reston, VA 20190

United States

Orlando, FL

440 W Kennedy Blvd, Suite 3

Orlando, FL 32810

United States

Toronto, Canada

20 Pullman Ct, Scarborough,

Ontario M1X 1E4


London, UK

14 Liverpool Road, Slough,

Berkshire SL1 4QZ

United Kingdom