Tampa General Hospital and Performance Health Technology Face Lawsuits

1.2 Million Record Data Breach Results in Tampa General Hospital Lawsuit

Tampa General Hospital (TGH) is getting sued for a data breach wherein hackers acquired access to the sensitive information of about 1.2 million individuals. This data breach is one of the biggest healthcare data breaches in Florida prompting Senator Rick Scott (R-FL) to ask the FBI to prioritize investigation of the breach to penalize the perpetrators.

TGH stated the breach investigation affirmed that hackers accessed its network from May 12 to May 30, 2023, and extracted files that contain patient data. Those files had names, contact details, birth dates, Social Security numbers, and medical insurance data. TGH discovered the security breach on May 31, 2023. The law agency Morgan & Morgan filed the lawsuit and alleges TGH did not use proper security procedures to protect the confidentiality, availability, and integrity of patients’ protected health information (PHI). Because of this, hackers had the chance to steal highly sensitive patient data. The lawsuit likewise deals with the issue of delay in detecting the breach and alerting the patients. Hackers got access to the system for 19 days before detection and TGH just notified the affected individuals in July 19, 2023.

The filing of the lawsuit was made on behalf of three plaintiffs plus other patients likewise impacted by the data breach. The plaintiffs have decided to stay unknown and one of the plaintiffs alleges to have been victimized by identity theft because of the data breach. The lawsuit likewise states that this isn’t the first data breach to have happened at TGH. TGH encountered a data breach in 2014 and reported it to the HHS’ Office for Civil Rights as an incident involving unauthorized electronic medical record access impacting 675 individuals.

The lawsuit alleges negligence, unjust enrichment, invasion of privacy, breach of confidence, and breach of fiduciary duty and wants restitution, damages, and injunctive relief. The law agency released a statement regarding the lawsuit, which was lately submitted in Hillsborough County. Hopefully, this lawsuit will get justice and accountability for the patients who had their privacy violated and encourage Tampa General Hospital to do something to secure their patients’ privacy in an appropriate way for the present state of cyber-attacks.

Class Action Lawsuits Filed Against Performance Health Technology for the MOVEit Cyberattack

Performance Health Technology (PH Tech) based in Oregon provides data management services to medical insurance companies. It is facing lawsuits filed by people who had their PHI exposed in a cyberattack recently. The Clop hacking group conducted an attack on PH Tech by exploiting a zero-day vulnerability found in the MOVEit Transfer file transfer solution of Progress Software. The vulnerability exploitation was done on May 28, 2023, and Progress Software advised PH Tech concerning the vulnerability on June 2. The analysis of the impacted files showed that the information of a number of its customers was exfiltrated, such as that of Health Share of Oregon, the Oregon Medicaid coordinated care provider. The exposed data differed from person to person and contained names, birth dates, Social Security numbers, email addresses, addresses, plan ID numbers, member ID numbers, authorization details, diagnosis codes, procedure codes, and claim details.

PH Tech and other companies experienced having the vulnerability exploited. The Clop hacking group is identified to have attacked about 677 firms by taking advantage of the vulnerability and stole the information of over 42 million people in the attacks. Progress Software identified the vulnerability on May 31, 2023, released a patch to correct the vulnerability on that same day, and immediately notified the customers. PH Tech stated in its notification letters that it disable access to the platform when the vulnerability was found, the patch was employed when it was launched by Progress Software, and the MOVEit platform was redesigned to stop continuing unauthorized access.

About two lawsuits have already been submitted to the District Court in Oregon as a result of the data breach that identified PH Tech as a defendant:

  • The Malo v. Performance Health Technology, Ltd. lawsuit names Katelin Malo as the plaintiff, individually, and as the natural parent and next friend of K.J., a minor, and Joann Kindred and Corrinna Reed
  • The Ballard v. Performance Health Technology, Ltd. lawsuit names PH Tech client Jordinn Ballard as the plaintiff

Both lawsuits allege that PH Tech failed to protect the personally identifiable (PII) and PHI of the plaintiffs and class members and that it was unable to adhere to industry requirements for securing data systems. The Ballard lawsuit alleges that PH Tech did not keep track of its servers for possible security problems and the Malo lawsuit alleges that PH Tech’s lax safety measures violated the HIPAA Privacy and Security Rules and violated FTC guidelines.

Aside from negligence, the Malo lawsuit claims breach of implied contract, negligence per se, unjust enrichment, and Oregon Unfair Trade Practices Act violations. The case additionally wants a court order mandating PH Tech to strengthen data security, which includes having third-party security auditors perform testing, penetration testing, and PH Tech systems audits, perform automated security checking, train its employees, and enhance access controls and firewalls.

The lawsuits allege that the plaintiffs’ sensitive information is in the possession of cybercriminals and that are facing impending and ongoing hurt from data misuse and must keep track of their financial and personal data for a long time. The two lawsuits want a jury trial, class action status, and damages above $5 million.


About Christine Garcia 1289 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA