A growing number of healthcare companies are confronted with legal action mainly because a ransomware attack had led to patient data theft. The Florida Orthopedic Institute in Florida, which is a big orthopedic provider, recently encountered a class action lawsuit on account of a ransomware attack.
The ransomware attack on Florida Orthopedic Institute was detected on April 9, 2020 when the staff was unable to access its computer systems and database due to file encryption. A third-party computer forensics firm was appointed to look into the breach, and on May 6, 2020, the investigators confirmed that attackers may have accessed and exfiltrated patient information. The types of sensitive data probably compromised included names, birth dates, medical insurance data, and Social Security numbers. The orthopedic institute sent notifications to affected patients who received them on or around June 19, 2020. The institute also offered one-year complimentary identity theft and credit monitoring services to the patients. In the course of issuing the notifications, no proof was found indicating patient data misuse.
Attorney John Yanchunis of Morgan & Morgan recently filed a legal action in Hillsborough County, FL against Florida Orthopedic Institute. Allegedly, the healthcare provider didn’t have appropriate safety procedures in place to protect patient information privacy. He mentioned that undoubtedly, cybercriminals got the data and maliciously used it
The legal action states that the healthcare firm was lackadaisical, lacks seriousness, sloppy, or negligent with respect to maintaining patient privacy and observing standard cybersecurity protocols. Apart from negligence, the legal case claims invasion of privacy, violation of implied contract, violation of fiduciary duty, unjust enrichment, and violation of Florida’s Deceptive and Unfair Trade Practices Act.
Even though patients received no-cost identity theft protection services, Yanchunis claims that the 12-months coverage isn’t enough to protect the victims, considering that affected persons are now at a greater risk of financial troubles for a few years in the future because of the breach.
The lawsuit seeks extended credit monitoring for the affected patients and at least $99 million in damages for the current and former patients.
The incident is not yet posted on the HHS’ Office for Civil Rights breach website, therefore there is no certainty regarding the number of patients affected by the attack. According to the legal action, at least 100,000 to maybe above 150,000 patients were impacted.
Diverse ransomware attacks recently have ended in lawsuits for instance those that involved BST & Co CPAs LLC and DCH Health System. Just recently, Grays Harbor Community Hospital proposed a $185,000 settlement for the class-action lawsuit filed against it.