Class Action Lawsuit Filed Against Einstein Healthcare Network Over 2020 Phishing Attack

Einstein Healthcare Network, a health system based in Philadelphia, is dealing with a class-action lawsuit associated with an August 2020 phishing attack that enabled an unauthorized person to access several employee email accounts.

Einstein Healthcare is a not-for-profit health system that manages a number of outpatient and primary care clinics around the greater Philadelphia area and four hospitals: Elkins Park Hospital, Einstein Medical Center Philadelphia, Einstein Medical Center Montgomery, and MossRehab in Elkins Park.

The breach investigation results confirmed that the email accounts had been impermissibly accessed for 12 days from August 5 to August 17, 2020. An analysis of the affected email accounts showed they included the protected health information (PHI) of 353,616 patients, such as names, birth dates, account/medical record numbers, health data like diagnosis and treatment details and, for a number of persons, medical insurance data and Social Security numbers.

Patients impacted by the breach received notifications by mail beginning October 9, 2020 although the breach was still undergoing investigation, then additional notices were mailed to patients from January 21 to February 8, 2021 as soon as it was known that more people were impacted.

Right after the breach, the health system enforced more security procedures to avoid more breaches and provided additional training to the employees about the identification of suspicious email messages. People whose Social Security numbers were exposed received offers of free one-year credit monitoring and identity theft protection services.

The law company Morgan & Morgan filed the lawsuit with Nanette Katz of Blue Bell, PA, a patient of Einstein Healthcare, as lead plaintiff. Allegedly, Einstein Healthcare was unable to protect and secure the PHI of patients and did not implement or follow fundamental security measures. Consequently, the lawsuit claims sensitive patient data is currently in the possession of cybercriminals and patients are facing a considerable threat of identity theft. Because of the breach, patients needed to shell out money and will keep on spending a considerable amount of time and money to secure themselves against identity theft and fraud.

The lawsuit additionally claims the healthcare provider did not give prompt breach notifications to patients. The lead plaintiff stated that breach notification was first received in January 2021, which is over 6 months after the discovery of the breach and supposed PHI theft. The lawsuit states the breach response was ill-timed and woefully lacking, not providing essential details regarding the data breach.

The lawsuit is seeking monetary compensation for the patient and class members, is asking for the courts to order the health system to completely reveal information for the nature and scope of data breached, and necessitates the health system to employ reasonably satisfactory safety measures to avoid other data breaches down the road.

It is currently fairly common for patients impacted by data breaches to take legal steps in case of exposure or theft of their personal data and PHI; nevertheless, for these cases to prosper, data breach victims normally have to present proof that they have experienced harm. Lots of lawsuits are sacked because the claims are considered very speculative.

The nature of the harm and injuries experienced should also be enough to justify damages. A current lawsuit submitted by an Envision Healthcare data breach victim – Pruchnicki v. Envision Healthcare Corp.- was lately sacked by the U.S. Court of Appeals of the Ninth Circuit.

In that instance, the claimed harm and injuries were for the time used handling the breach, stress, annoyance, and hassle from managing the consequences of the breach, worry, anxiety, and doubt when trying to get new credit cards, impending and upcoming problems of possible fraud and identity theft, and reduction in the value of the personal and financial data of the plaintiffs. The accusations of harm were adequate for the District Court for standing reasons however were not enough to be awarded compensable damages.

About Christine Garcia 1303 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at