Healthcare , Incident & Breach Response , Industry Specific
One Brooklyn Reports Breach, Faces Lawsuit Post-CyberattackMore Than 235,000 Affected; Proposed Class Action Alleges Negligence, Other Claims
A safety net hospital system in New York City faces a proposed class action lawsuit tied to a late 2022 cybersecurity incident that breached the personal information of more than 235,000 patients.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The incident affected three One Brooklyn Health System hospitals and several other facilities. First discovered on Nov 19, 2022, the incident caused patient rerouting and disrupted access to electronic health records and patient portals for more than a month.
One Brooklyn has not publicly stated whether the incident involved ransomware and was tight-lipped about its situation during its immediate response to the attack (see: Brooklyn Hospitals Decried for Silence on Cyber Incident).
One Brooklyn hospitals affected by the incident were Brookdale Hospital Medical Center, Interfaith Medical Center, and Kingsbrook Jewish Medical Center, as well as several nursing homes and health clinics (see: One Brooklyn Not Over November Cyber Incident).
One Brooklyn on April 20 disclosed that the hacking incident has affected 235,251 individuals.
Individuals affected include One Brooklyn patients, employees and their spouses, dependents and beneficiaries, the organization said. "At this time, OBH is unaware of any actual or attempted misuse of the affected information as a result of this incident."
The proposed class action lawsuit filed Wednesday in the Kings County Supreme Court in Brooklyn asserts the hospital system was negligent by failing to adequately protect sensitive health and personal information, putting affected individuals at risk for identity theft and fraud.
The lawsuit also alleges that One Brooklyn violated New York state consumer protection laws and failed to provide affected individuals with timely notification about the breach. The suit seeks monetary damages, restitution and injunctive relief.
"We are seeking to hold OBH accountable by requiring it to compensate victims of the data breach and to ensure that adequate security measures are implemented to prevent an event like this from happening again in the future," said plaintiff attorney Benjamin Johns, of the law firm Shub & Johns LLC.
The injunctive relief sought includes requiring One Brooklyn to implement improved data security practices.
A breach notice posted on One Brooklyn's website says an investigation into the incident determined that an "unauthorized actor acquired a limited amount of OBH data during a period of intermittent unauthorized access to OBH’s computer systems between July 9, 2022, and Nov. 19, 2022."
The organization says it concluded its review on March 21, finding the incident affected information including names, Social Security and driver's license numbers, birthdates, financial account information, medical treatment and diagnosis and health insurance information.
One Brooklyn in its breach notice says the organization is reviewing its existing data protection policies and training protocols and has implemented "enhanced security measures and additional monitoring tools to reduce any risk associated with this incident and to better prevent similar incidents in the future."
The system did not immediately respond to Information Security Media Group's request for comment on the lawsuit and for additional details pertaining to the cybersecurity incident.