Ever wonder what happens when patient record requests are ignored, invoices go wild, and cybersecurity takes a coffee break? Spoiler: it ends with lawsuits, settlements, and a whole lot of legal back-and-forth. In this episode, we unpack a right of access case that dragged on longer than a season of courtroom drama, and then dive into the spaghetti mess of post-breach chaos – where class action lawsuits spring up like mushrooms and documentation (or lack thereof) can make or break you. If you thought the breach was the worst part… oh honey, it’s just getting started.
In this episode:
After the Breach Notice Comes the Lawsuit – Ep 542
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
When you see a couple of numbers on the left side of the text below click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
[00:47]
54th Patient Right of Access Settlement
What happened:
- HHS received a complaint on December 28, 2018, alleging Concentra failed to appropriately respond to patient medical record requests.
- OCR found that a request for electronic medical and billing records was sent to Concentra’s Peoria, Arizona Center on February 15, 2018.
- This request was forwarded to Concentra’s Central Billing Office (CBO), and virtually identical follow-up requests were sent multiple times in 2018, a total of 6 requests were made.
- On October 8, 2018, Concentra’s business associate invoiced $82.57 for the records.
- After the amount was disputed, the business associate adjusted the balance to $6.50 and mailed a paper copy of the records on March 21, 2019.
OCR Director Paula M. Stannard quote: “Under the HIPAA Privacy Rule, individuals or their personal representatives have the right to timely access their medical records. Individuals should not have to make multiple requests and file a complaint with OCR to gain access to their health information.”
This thing went on forever!
There was a proposed CMP of $250k that was requested to go to the Administrative Law Judge which is always an option. Concentra asked for the case to be removed in summary judgement. That got shot down January 3, 2025, when the ALJ “denied that motion, determining that factual disputes remained regarding issues between Respondent and OCR” At that point, they worked out a resolution agreement for $112,500.
This is the 54th one of these getting announced. But, since this goes back so far hopefully we won’t see many new ones.
[10:10]After the Breach Notice Comes the Lawsuit
But what about the class actions:
Conduent Anticipates $25M Data Breach Cost by Q1, 2026
US Data Breach Lawsuits Total $155M Amid Cybersecurity Failures – Infosecurity Magazine
Netgain Technology Pays $1.9M in Data Breach Settlement
What started as a conversation about breach notifications quickly turned into something much heavier: the realization that the breach itself is often just the opening act. Once an incident hits the public reporting portal (yes, the one everyone still calls the “wall of shame”), the lawsuits follow almost immediately. Not months later. Not after the investigation is done. Sometimes while organizations are still figuring out what even happened. Searching for details on a single breach now feels like digging through a sea of class action announcements, each one racing to be first in line for a settlement.
As the numbers came out, the math got uncomfortable fast. Class action settlements averaging around $3 million, some reaching $25 million, and that’s before legal fees, forensic costs, recovery efforts, or reputational damage even enter the picture. Meanwhile, most individuals affected walk away with $150 and a year of credit monitoring. It’s a strange imbalance: enormous financial pain for organizations, minimal relief for individuals, and an entire industry of “digital ambulance chasers” ready to capitalize the moment a breach goes public.
[16:22]Good Intentions Don’t Hold Up in Court
Courts and regulators may be sympathetic to victims of attacks, but they are far less forgiving when it looks like an organization didn’t take reasonable care. Most breaches don’t start with malicious neglect. They start with good intentions that slowly erode. Security plans get set, budgets get approved, and then the threat landscape shifts. New tools are needed. Costs go up. Decisions get delayed. Before long, organizations are standing still while attackers keep moving forward. It’s rarely a people problem. It’s a process problem that quietly grows over time.
That’s where documentation and defensibility become the unsung heroes of breach response. You can’t just say you were doing the right things. You have to prove it. And relying on vendors or MSPs to “have that somewhere” isn’t a strategy unless it’s contractually guaranteed and actually covers everything it should. Security isn’t one-size-fits-all, and neither is documentation. When things go wrong, and eventually something always does, the organizations that can clearly show what they did, why they did it, and how it was reasonable for their environment are the ones that suffer less. Not no pain. Just less of it. And in today’s breach-and-lawsuit cycle, “less” makes a very real difference .
When it comes to data breaches, there’s no such thing as “clean up and move on.” It’s more like “lawyer up and hang on.” This episode proves that defensibility is your ride-or-die, documentation is your favorite co-worker, and underestimating class action lawsuits is… not a great strategy. So go forth, stay vigilant, and maybe double-check that your “just-in-case” plan doesn’t include crossing your fingers and hoping no one notices.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
