Lawsuits After Ransomware Incidents: The Trend ContinuesIn Latest Case, Florida Practice Sued for Damages, and Security Mandates Sought
A lawsuit seeking damages as well as security mandates has been filed against a Florida-based orthopedic group in the wake of a ransomware incident. It's the latest in a series of such legal actions in healthcare, including one in which a preliminary settlement has been reached.
The preliminary settlement reached last month in a ransomware-related lawsuit against UnityPoint Health would require the organization to improve its network and data security to address vulnerabilities and safeguard patient data.
The Latest Lawsuit
The new lawsuit against Musculoskeletal Institute - which does business as Florida Orthopaedic Institute - alleges the Tampa, Fla.-based entity was "lackadaisical, cavalier, reckless, or in the very least, negligent" in maintaining the privacy of patients' information.
"As a result of defendant's failure to implement and follow basic security procedures plaintiffs' and class members' PII is now in the hands of thieves and unknown criminals," the lawsuit, which is seeking class action status, alleges.
Because patients whose data was exposed face a risk of identity theft, they have had to spend "significant time and money" to protect themselves due to defendant's failures," the lawsuit alleges.
The lawsuit claims that the Florida practice's "failure to protect and otherwise safeguard its computers resulted in the exposure of the PHI and PII of at least 100,000 patients and potentially in excess of 150,000 current and former patients" after an April ransomware attack.
As of Monday, the ransomware incident was not posted on the Department of Health and Human Service's HIPAA Breach Reporting Tool listing health data breaches affecting 500 or more individuals.
Improving Data Security
In addition to negligence, the lawsuit claims the incident was an invasion of privacy, breach of implied contract, breach of fiduciary duty, unjust enrichment and a violation of Florida's Deceptive and Unfair Trade Practices Act.
The lawsuit is seeking damages plus a court order compelling the practice to:
- Hire third-party security auditors/penetration testers as well as internal security personnel to test systems on a periodic basis and then correct any issues detected;
- Engage third-party security auditors and internal personnel to run automated security monitoring;
- Audit, test, and train security personnel regarding any new or modified procedures;
- Segment PII by creating firewalls and access controls so that if one area of the network is compromised, hackers cannot gain access to other portions of the entity's systems;
- Purge, delete, and destroy PII not necessary for provision of services;
- Conduct regular database scanning and securing checks;
- Continually train internal security personnel on how to identify and contain a breach.
In a statement issued in June, Florida Orthopaedic Institute said it discovered on April 9 that a ransomware attack had encrypted data stored on its servers.
The specialty medical group said it took "immediate steps to restore impacted data, further secure [its] environment, and initiate an internal investigation into the issue."
On May 6, the investigation revealed that the personal information of certain patients may have been accessed or taken during the incident, the statement says, adding that the group is not aware of the misuse of any information impacted by the incident.
Based on its investigation, the medical group says personal information exposed in the incident may have included names, dates of birth, Social Security numbers, medical information related to appointment times, physician locations, diagnosis codes, payment amounts, insurance plan identification numbers, payer identification numbers, claims addresses or claims history.
Brett Callow, a threat analyst at security firm Emisoft, says that to date, he has not seen any of Florida Orthopaedic Institute's data show up on darknet "leak sites," as has become common after other recent ransomware incidents that involve data exfiltration.
"Ransomware attacks are now very often data breaches and, as such, expose impacted entities to a myriad of potential legal problems in addition to the usual problems of reputational damage, business interruption and data loss," he says.
It's not clear whether the medical group paid a ransom after the ransomware incident.
Consumers whose personal information was disclosed in a security breach or ransomware incident often have a steep hill to climb when suing a healthcare organization whose information systems were compromised, notes privacy attorney David Holtzman, principal of HITprivacy LLC, a consultancy.
"To get through the courthouse door, many judges require the lawsuit show that there was an actual or imminent injury to the consumer from the disclosure of their personal information and that it can be directly tied to the security incident that resulted in the unauthorized disclosure of their personal information," he says.
If that hurdle is overcome, the lawsuit proceeds to the discovery phase, where the healthcare organization might be required to provide details about how the organization managed its information security as well as the investigation of the incident, he notes.
Technology attorney Steven Teppler of the law firm Mandelbaum Salsburg P.C. notes that plaintiffs in data breach-related lawsuits must educate the court "about the present and continuing safety and privacy implications of such attacks, regardless of type."
After a ransomware attack that did not involve data exfiltration, "the issue will largely focus on safety - the inability of a patient to obtain services from a healthcare provider - and in the time of a pandemic the critical nature of this type of attack is heightened," he notes. For a ransomware attack involving exfiltration of data, the threat to patients also includes criminals using sensitive information "to compromise identities for years to follow," he adds.
Neither Florida Orthopaedic Institute nor attorneys representing plaintiffs in the lawsuit immediately responded to Information Security Media Group's request for additional information.
Among similar recent legal cases is a lawsuit filed in late May against accounting firm BST & Co. CPAs LLC in the wake of a 2019 ransomware incident that allegedly exposed the information of more than 170,000 individuals - including patients of Community Care Physicians, a large multispecialty medical group in upstate New York (see: Hacking of Accounting Firm Affects Medical Group).
"It is a good bet that we will continue to see more class action lawsuits brought by consumers whose personal information has been disclosed by healthcare organizations and their vendors," Holtzman notes. "Through failing to implement 'reasonable security procedures,' healthcare organizations will continue to be defending themselves from privacy and data breach class action lawsuits."