Device Maker Zoll Facing 7 Lawsuits in Wake of BreachProposed Class Actions Come in Aftermath of Hacking Incident Affecting More Than 1 Million
Medical device maker Zoll Medical is facing at least seven proposed class action lawsuits filed since it revealed two weeks ago that the data of 1 million individuals had been caught up in a hacking incident involving the company's internal network.
All of the lawsuits so far were filed between March 15 and March 22 in federal court in Massachusetts. The suits make similar allegations, including that Zoll was negligent in failing to protect individuals' sensitive information, putting putative class members at increased risk of identity theft.
The lawsuits seek monetary damages as well as improvements to Zoll's security practices.
At least one of the plaintiffs, Robert Smith, in his lawsuit alleges that he was already harmed by the Zoll incident. On March 13, he says, after receiving Zoll's breath notice letter, he checked his bank account and found an unauthorized charge for $49.99.
"Plaintiff spent significant time resolving this unauthorized charge, which he believes was a result of the data exposure," Smith's lawsuit alleges.
Massachusetts-based Zoll, a subsidiary of Japanese technology firm Asahi Kasei Group, declined Information Security Media Group's request for comment on the lawsuits, saying the company does not comment on pending litigation.
The company earlier this month told ISMG that the cybersecurity incident affects current and former users of the company's LifeVest device - a wearable cardioverter defibrillator worn by patients at high risk of sudden cardiac death. The incident did not affect the operation or safety of the product or any other Zoll medical device or related software, a company spokesperson said (see: Heart Device Maker Says Hack Affected 1 Million Patients).
Zoll detected unusual activity on its internal network on Jan. 28, the company's breach notice says.
The firm determined on Feb. 2 that individuals' information may have been breached in the incident. Affected data includes name, address, birthdate and Social Security number. "It may also be inferred that you used or were considered for use of a Zoll product," the notice says.
Zoll's growing pile of recent lawsuits is the latest example of the messy fallout that entities in the healthcare sector can face in the aftermath of a major cybersecurity incident.
"The healthcare industry is a highly targeted industry for hackers, including for ransomware attacks, because of the sensitive information it is collecting and maintaining of its users," said Jason Johnson, a partner at law firm Moses Singer, who is not involved in the Zoll litigation.
"Medical device companies need to see this breach as an indication that it and other companies in the healthcare space are, and will continue to be, subject to an increased number of attacks and should evaluate and test their systems to ensure they are not currently under attack or at risk given their current controls in place," Johnson said.
This includes evaluating who has and who needs system administrative rights and removing rights where necessary, reviewing password policies, implementing two-factor authentication and conducting additional cybersecurity training for its workforce, he said.
All of this advice also pertains to medical device companies that collect sensitive patient information, he said.
"These companies need to evaluate their current cybersecurity posture and practices in order to put themselves in the best position to minimize the damage or harm caused when that data breach occurs."
The recent hacking incident is not Zoll's first major data breach that resulted in litigation.
Zoll in 2019 reported a breach affecting 277,000 individuals caused by an email server migration mishap involving one of the company's vendors, Barracuda Networks (see: Breach Lawsuit Spotlights Complex Vendor Issues). Zoll faced at least one class action lawsuit filed by individuals affected in that breach case, but the company also in 2020 filed its own litigation against Barracuda Networks. That case was dismissed in 2021.