The State of Arkansas is taking legal action against a defunct health system over its alleged abandonment of employee and patient data after its hospital closed.
On Thursday, Arkansas attorney general Leslie Rutledge announced a lawsuit against Eastern Ozarks Regional Health System for its alleged failure to protect sensitive personal and medical information.
The suit alleges that the health system’s former Cherokee Village hospital violated the Personal Information Protection Act (PIPA) and the Arkansas Deceptive Trade Practices Act (ADTPA) when it abruptly ceased operating, locked out employees and left patient and employee files behind in unsecured buildings.
Eastern Ozarks Regional Health System’s 40-bed hospital stopped operating in December 2004. Six years later, the property was transferred to the State of Arkansas after its owners failed to pay their taxes.
In 2021, investigators with the Attorney General’s Office (AGO) conducted a site visit to the property and found files scattered throughout the facility and its storage buildings.
“The facility had been vandalized and was in serious disrepair,” said a spokesperson for the AGO.
“Many files throughout the property appeared to have been examined, likely by trespassers seeking to steal significant personal information.”
According to the suit, the files deserted by the hospital contained Social Security numbers, driver’s license numbers, account information, medical information and biometric data.
The suit alleges that Eastern Ozarks Regional Health System failed to properly dispose of or properly secure the files before the properties being conveyed to the State of Arkansas.
The attorney general estimated that “several thousands of files” could have been deserted in the unsecured buildings since the hospital and its clinics operated for around nine years.
“Consumers must be able to trust their healthcare providers and employers to protect their personal information,” said Rutledge.
“Eastern Ozarks Regional Health System betrayed that trust and left patients and employees vulnerable to scams and identity theft. I am holding the hospital and its owners accountable.”
The action is being taken against Country Medical Services Inc., the former operator of Eastern Ozarks Regional Health System, and owners Robert Becht of Hartsville, Tennessee, and Theresa Hanson of Deland, Florida.
If convicted of PIPA and ADTPA violations, the defendants face civil penalties of up to $10,000 for each violation.