Post Acute Medical, LLC Data Breach (2019)

Houston mayoral candidate and prominent trial lawyer Tony Buzbee is serving as defense counsel in a federal court lawsuit in Pennsylvania, brought by a health care provider who says the owner and operator of its computerized records database illegally procured and retained its confidential patient data. Meanwhile, Buzbee's client counters that it is the party that is victim to theft. Post Acute Medical, LLC of Enola filed suit in the U.S. District Court for the Middle District of Pennsylvania on July 2 versus Christopher LeBlanc and Meridian Hospital Systems Corporation of Dallas, Texas. “Until recently, PAM had authorized Meridian and LeBlanc to access PAM’s confidential patient data and business information in connection with PAM’s daily operations, because Meridian set up a computerized database through certain software applications, to essentially house and aggregate PAM’s data,” the suit reads. “Importantly, this highly confidential data included Protected Health Information and Electronic Protected Health Information related to patients in PAM’s network affiliated hospitals throughout the country, as well as valuable customer and vendor contact lists and preference information, which PAM does not disclose to the public.” Meridian allegedly understood and agreed it had no authorization to use PAM’s confidential data for any reason other than supporting PAM’s operations and would return it at the end of the contract, per HIPAA regulations and made clear through a one year-long written addendum agreement entered into in June 2018. “Throughout the entirety of the relationship, PAM repeatedly reported several frustrations to LeBlanc about the effectiveness of Meridian’s software applications, which ultimately led PAM to the realization that it would be better for PAM’s operations to develop its own applications tailored to its specific and evolving needs,” the suit states. At one point, the suit says discussions centered on PAM acquiring an equity interest in Meridian, if PAM would stay with Meridian and enter into a long-term contract, but negotiations later fell through. Subsequently, the defendants were charged with having committed the following: • Falsely accusing PAM of misappropriating its software applications; • Abruptly terminating PAM’s access to Meridian’s applications and PAM’s own highly confidential data; • Repeatedly refusing to return PAM’s highly confidential data; • Accessing and mining PAM’s highly confidential data without authorization after receiving multiple demands from PAM to immediately return such data; and • Publicly disclosing protected health information of a patient, which was contained in PAM’s highly confidential data that Meridian was not authorized to access, and has been holding hostage since May of 2019. “Although LeBlanc and Meridian received more than a half-dozen requests from PAM to immediately return PAM’s highly confidential data, rather than return any such data as required by law, LeBlanc and Meridian have held the data ransom and repeatedly threatened to destroy it in violation of HIPAA,” according to the lawsuit. The Pennsylvania suit further alleges that in an attempt to delay returning PAM’s confidential and proprietary records, the defendants separately filed a “groundless” lawsuit in Harris County, Texas District Court and a request for a temporary restraining order and injunction in Houston against PAM, Clear Lake Institute for Rehabilitation, LLC and Key Management Group, LLC, despite none of the case parties having any connection to that city.