The Donald W. Wyatt Detention Facility in Central Falls, Rhode Island, is facing a class-action lawsuit for a data breach with far more victims than initially reported. The breach, which occurred on November 2, 2023, now involves almost 20,700 individuals, ten times the original estimate.
What happened
In a media statement on December 21, 2023, the Wyatt Detention Facility disclosed that the personal data of 1,984 people had been compromised, including detainees, staff, and vendors.
However, a recent lawsuit reveals that the breach may have affected up to 20,693 people, far exceeding the initial estimate.
The breach's impact was compounded by delays in notification, leaving some victims unaware of the exposure for months. Among these is Jacob Hellested, who never worked at the facility but applied for a job there but has since filed a lawsuit against the Central Falls Detention Facility Corporation, alleging that the delay in notification exacerbated the damage.
What was said
According to the lawsuit, the defendant, Wyatt Detention Facility’s “data security failures allowed a targeted cyberattack in November 2023 to compromise Defendant’s network (the ‘Data Breach’) that contained personally identifiable information (‘PII’) and protected health information (‘PHI’) (collectively, ‘the Private Information’) of Plaintiffs and other individuals (‘the Class’).”
In their media statement, the Wyatt Detention Facility acknowledged the breach, stating, “The Facility regrets any concern this incident may have caused, and we are committed to helping minimize any possible impact. Individuals affected by this incident are being notified as required by law, and free credit monitoring will be offered to affected and eligible individuals. As our review continues, if we discover additional individuals affected by the incident, we will send any required notices to those additional individuals, as well.”
Peter Wasylyk, Hellested’s attorney, criticized, “Despite learning of the Data Breach on or about November 2, 2023, and determining that Private Information was involved in the breach, Defendant did not begin sending notices of the Data Breach (the ‘Notice of Data Breach Letter’) until July 9, 2024.”
In the know
The Health Insurance Portability and Accountability Act (HIPAA) mandates covered entities that handle protected health information (PHI) must notify affected individuals within 60 days of discovering a breach.
Furthermore, breaches impacting 500 or more individuals must be reported to the Department of Health and Human Services (HHS) and potentially the media to increase breach awareness and response.
Why it matters
Covered entities, like Wyatt Detention Facility, must adhere to HIPAA's Breach Notification Rule, so affected individuals can prevent further personal and financial harm. Moreover, adhering to HIPAA's notification requirements ensures that entities are held accountable for their data security practices.
The bottom line
Covered entities must improve their security measures and ensure timely breach notification communication to protect individuals' personal information and comply with data protection standards.
Read also: Does HIPAA apply to incarcerated individuals?
FAQs
What are the penalties for violating HIPAA regulations?
Civil penalties for HIPAA violations can include fines ranging from $100 to $50,000 per violation, with an annual maximum of $1.5 million per violation. Criminal penalties are applied when HIPAA violations are knowingly committed, with increased fines and imprisonment.
How long should PHI be retained?
The retention period for PHI varies by state law and federal regulations but it is generally recommended to retain medical records for at least six years from the date of creation or when the records were last used.
What is considered a breach of PHI?
A breach occurs when an unauthorized party gains access, uses or discloses protected health information (PHI) without permission. Breaches include hacking, losing a device containing PHI, or sharing information with someone who is not authorized to view it.
