People affected by the recent data breaches that occurred at Blackbaud and Assured Imaging took legal action for the compromise and theft of their personal data and protected health information (PHI).
Several Lawsuits Filed in Connection with the Blackbaud Ransomware Attack
The security breach at Blackbaud is one of the biggest healthcare data breaches reported. The number of healthcare entities impacted is not clear at this moment because each affected entity is submitting breach reports one by one. As the due date for reporting draws near, the magnitude of the breach is getting clearer. Presently, about 5 million persons are confirmed to have been affected and about 60 healthcare institutions have affirmed being impacted by the security breach.
With well-known ransomware attacks, the attackers exfiltrate information before deployment of the ransomware. Blackbaud decided to pay the ransom demand to get the keys to decrypt data and to make sure that all stolen information was completely wiped out. Blackbaud has gotten assurances of the deleted stolen data, however because of the breach, people whose information was stolen still had to do something to secure their identities and many have sustained out-of-pocket expenditures because of the breach.
Currently, approximately 10 legal cases were filed against Blackbaud and desire class-action status. The lawsuits claim negligence, invasion of privacy, multiple violations of state regulations, and breach of contract.
Blackbaud could have obtained assurances that stolen data were wiped out, however, the hackers might still have saved a copy of the stolen information. As per one legal case filed in California federal court, Blackbaud can’t reasonably say that the hackers deleted the subset copy just because it paid the ransom demand and the data thieves affirmed the copy was deleted. Blackbaud responded to the allegations in the lawsuits that they lack merit.
Lawsuit Filed Due to Assured Imaging Ransomware Attack
Assured Imaging similarly experienced a ransomware attack and the attackers stole patient data before deploying the ransomware. The hackers first accessed Assured Imaging’s systems on May 15, 2020 and downloaded the ransomware on May 19, 2020. The provider sent notification letters to the affected 244,813 patients on August 26, 2020. Although it has been affirmed that the hackers stole information, Assured Imaging could not ascertain which information the hackers obtained.
The hackers responsible for the attack then posted a part of the stolen data to try to force Assured Imaging to pay the ransom. They used the ransomware Pysa, aka Mespinoza, in the attack.
Legal action was filed in the US District Court of Arizona for plaintiffs Kerri G. Peters, Angela T. Travis, and Geraldine Pineda and some others impacted by the data breach. Attorney Hart. L. Robinovitch of Zimmerman Reed represented the plaintiffs.
The lawsuit claims Assured Imaging kept patient information in a careless manner using a computer system that was susceptible to cyberattacks and that there was an identified risk of inappropriate disclosure of PHI because of the absence of proper cybersecurity protections.
The lawsuit additionally claims the inability to protect the network left patient information in a risky situation. Further, there was poor network monitoring, causing a delay in determining the attack.
The lawsuit additionally claims Assured Imaging violated FTC guidelines and was unsuccessful in complying with the minimum industry specifications for data security, for example implementing security updates immediately, training the workforce, employing proper guidelines and procedures pertaining to data safety, and the inability to encrypt data.
The lawsuit states patients are confronted with an elevated risk of fraud and identity theft for several years ahead because of the data theft and the actual or possible selling of their data on the black market. Impacted patients likewise sustained ascertainable losses because of disruption of healthcare services, out-of-pocket expenditures, and the value of their time relatively accrued to respond or mitigate the impact of the attack.