Oakbend Medical Center in Richmond, TX, and Keystone Health in Chambersburg, PA, are facing class action lawsuits over recent hacking incidents that resulted in the exposure and theft of the protected health information of hundreds of thousands of patients.
OakBend Medical Center
On September 1, 2022, OakBend Medical Center discovered its systems had been compromised and files had been encrypted. The breach was contained and access to its network was terminated, and a forensic investigation was conducted to determine the nature and scope of the attack. The forensic investigation confirmed that the attackers had exfiltrated files containing patient data. OakBend Medical Center said entire medical records do not appear to have been stolen. The stolen data included names, contact information, dates of birth, and Social Security numbers. The threat actors behind the attack – Daixin Team – claim the data they stole included 1 million patient records, although that has yet to be confirmed by Oakbend Medical Center.
On October 28, 2022, two patients affected by the data breach – Ryan Higgs and Alissa Wojnar – took legal action over the theft of their protected health information. The lawsuit was filed by Dallas, TX-based attorney, Joe Kendall, in the District Court for the Southern District of Texas and alleges Oakbend Medical Center maintained the private information of patients “in a reckless manner,” and failed to properly monitor its IT network. The lawsuit alleges negligence, negligence per se, breach of implied contract, breach of fiduciary duty, intrusion upon seclusion, invasion of privacy, and unjust enrichment.
The plaintiffs claim they have suffered the loss of the benefit of their bargain, out-of-pocket expenses, the value of their time that was incurred to remedy and mitigate the effects of the attack, emotional distress, and the imminent risk of future harm caused by the compromise of their sensitive personal information. The lawsuit seeks class action status, compensatory damages, reimbursement of out-of-pocket expenses, and injunctive relief that requires OakBend Medical Center to implement additional security measures to better protect patient data and to also provide adequate credit monitoring services to affected patients.
Keystone Health
On August 19, 2022, Keystone Health discovered its network had been compromised. After systems were secured, a forensic investigation was launched to determine the scope of the attack, and it was confirmed that hackers had access to its network between July 28, 2022, and August 19, 2022. During that time, they had access to sensitive patient data including names, Social Security numbers, and clinical information. The breach affected 235,237 patients, who were notified on October 14, 2022.
A lawsuit was filed in the District Court for the Middle District of Pennsylvania by the law firm Milberg Coleman Bryson Phillips Grossman, PLLC that named Jacob Whitehead as plaintiff, on behalf of his minor son. The lawsuit alleges Keystone Health failed to properly secure and safeguard personally identifiable information, and that the private information of patients was maintained in a reckless and negligent manner that made it vulnerable to cyberattacks.
The lawsuit alleges negligence for failing to implement minimum industry standards for protecting patient data and claims Keystone Health failed to meet its obligations under the HIPAA Security Rule as appropriate safeguards had not been implemented to protect patients’ electronic protected health information. The lawsuit also alleges a violation of the HIPAA Breach Notification Rule for failing to properly notify patients about the data breach.
The lawsuit claims the plaintiff and others affected by the data breach are now at significant risk of identity theft and various other forms of personal, social, and financial harm. They allege an injury has been sustained in the form of the lost or diminished value of their private information, out-of-pocket expenses associated with the prevention, detection, and recovery from identity theft, tax fraud, and/or unauthorized use of their private information, lost time and opportunity, and a continued and substantially increased risk of cyberattacks and fraud.
The lawsuit seeks class action status, a jury trial, damages, and equitable and injunctive relief, including a requirement for Keystone Health to ensure it has an effective and comprehensive security program, to undergo independent security audits and penetration tests, to engage internal personnel to run automated security monitoring, and to provide security awareness training to all employees, at least annually.
The post Lawsuits Filed Against OakBend Medical Center and Keystone Health Over Data Breaches appeared first on HIPAA Journal.