Iowa Community HomeCare and Proliance Surgeons Face Lawsuit Over Ransomware Attack

Proliance Surgeons Faces Lawsuit Over Ransomware Attack and Data Breach

Surgery group Proliance Surgeons based in Seattle, Washington is facing a class action lawsuit due to a recently reported ransomware attack and data breach that impacted more or less 437,400 people.

The group manages about 100 surgery facilities in Washington and serves over 800,000 patients per year. On May 24, 2023, the group engaged third-party forensic experts to investigate the cyberattack. It was confirmed that hackers acquired access to files containing patient information and extracted some files from its system on February 11, 2023. The data exposed in the attack contained names, contact data, Social Security numbers, driver’s license numbers, financial details, treatment data, and usernames and passwords. Breach notification letters were sent on November 21, 2023.

Plaintiff and ex-patient, Alicia Berend, together with similarly situated persons who had their sensitive data exposed in the cyberattack, filed a lawsuit in a Seattle federal court. The lawsuit claims Proliance Surgeons was unable to sufficiently secure patient information as mandated by federal and state legislation and according to its internal security guidelines, and that the data security failures resulted in the Health Insurance Portability and Accountability Act (HIPAA) violation.

The lawsuit likewise references a prior security breach where unauthorized persons got access to its web payment system for seven months from November 2019 to June 2020, permitting access to be acquired to names, payment card details, and zip codes. After that incident, Proliance Surgeons stated it would be improving its security measures to avoid the same incidents later on. The prior security breach isn’t posted on the HHS’ Office for Civil Rights (OCR) portal, which suggests either the breach report wasn’t submitted to OCR, that Proliance Surgeons established that protected health information (PHI) was not compromised, or the breach impacted less than 500 people. The lawsuit states that having two major security breaches in just 3 years signifies that there is a pattern of negligence regarding data security.

The lawsuit additionally argues the time it took to learn about the compromise of patient data, which happened 102 days after detecting the security breach, and Proliance Surgeons only sent the notification letters to the impacted persons on November 21, 2023, which is 283 days after the occurrence of the data breach. The lawsuit states that the plaintiff and class were unaware of the breach, therefore keeping them from doing something to mitigate their injuries immediately.

The lawsuit states the plaintiff and class have endured injury and financial losses, and that the plaintiff had encountered identity theft and fraud. Allegedly, she has gotten email messages saying that somebody has made use of her identity for different out-of-state transactions, which include queries into real estate in Florida, and has likewise gotten a lot of spam emails and telephone calls and now worries for her personal and financial safety. The plaintiff states that she has endured anxiety, sleep trouble, stress, fear, and disappointment and that these traumas are more than just stress or hassle.

The lawsuit claims negligence, breach of fiduciary duty, breach of implied contract, unjust enrichment, privacy violation, and violations of the Washington Uniform Health Care Information Act (UHCIA), Washington Data Breach Disclosure Law, and Washington Consumer Protection Act. The lawsuit wants class action certification, compensatory, punitive, exemplary, and statutory damages, a jury trial,
and lawyers’ fees and legal fees.

Samuel J. Strauss of the law agency, Turke & Strauss LLP represents the plaintiff and class.

Iowa Community HomeCare Faces Lawsuit Over Ransomware Attack in March 2023

An ex-employee and a patient sued UI Community Medical Services and UI Community HomeCare, the subsidiaries of the University of Iowa (UI) Health Care, due to a ransomware attack and data breach in March 2023. The data breach was reported by IU Health Care in May 2023, although it happened in March 2023 and impacted its subsidiaries. Iowa Community HomeCare learned about the security breach on March 23, 2023 because of the encrypted files on its system. The investigation established there was unauthorized access to records that contained sensitive information on March 23, 2023.

Personal data and PHI was compromised and possibly stolen, including names, addresses, birthdates, telephone numbers, referring doctor names, medical record numbers, dates of service, medical insurance details, billing and claims data, medical history data, and diagnosis/treatment details. During the issuance of notifications, Iowa Community HomeCare did not find any attempted or actual misuse of stolen information. The data breach report was submitted to the HHS’ Office for Civil Rights indicating that up to 67,897 persons were affected.

The lawsuit alleges that the data breach might have been avoided if the defendants, UI Community HomeCare and UI Community Medical Services had enforced proper security procedures. Although security procedures were put in place, the lawsuit states the defendants willfully ignored their data security responsibilities by using less expensive, inadequate security procedures at the expense of plaintiffs and class members.

The defendants likewise were unable to make known to patients that low-quality cybersecurity methods were set up and vulnerabilities were not dealt with, which made the plaintiffs and class members think their sensitive data were sufficiently protected when deciding about buying and getting the defendants’ solutions. The plaintiffs state that the defendants’ revenue, rewards, and other payments were acquired incorrectly and they aren’t lawfully allowed to retail any of the benefits, payments, or revenue obtained from their transactions.

The plaintiffs were Becky Kaefring and Kimberly Sullivan. Kaefring was employed at UI Community HomeCare from 2003 to 2019 and Sullivan’s child got medical services from UI Community HomeCare. The plaintiffs assert they have endured injuries because of the data breach which include lost time, hassle, disturbance, difficulty, and anxiety concerning the breach of their sensitive information, and that they are facing the responsibility of needing to carefully watch out for identity theft and fraud for years ahead.

Kaefring claims breach of implied contract, negligence, negligence per se, unjust enrichment, breach of fiduciary duty, and invasion of privacy. Sullivan claims breach of implied contract, negligence, unjust enrichment, and breach of implied covenant of good faith and fair dealing. The lawsuit is seeking class action certification, a refund, compensation and injunctive relief, and a court order for the defendant to make major enhancements to safety measures.

About Christine Garcia 1304 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at