The New York ambulance service, Empress EMS, is facing multiple class action lawsuits over a ransomware attack that was detected on July 14, 2022. The Hive ransomware group was behind the attack, and as per the group’s modus operandi, after gaining access to the network, sensitive files were stolen, then files were encrypted.
According to the breach notifications sent by Empress EMS, the unnamed ransomware actors stole files that included names, dates of birth, demographic information, diagnosis and treatment information, medical record numbers, dates of service, insurance information, prescription information, and, for a small subset of individuals, Social Security numbers. Those files were stolen on July 13, 2022. The Hive ransomware group published some of the stolen data on their data leak site, but the data was promptly removed. According to databreaches.net, which contacted the Hive group, Empress EMS paid the ransom.
The breach investigation revealed the ransomware gang first gained access to the network on or around May 26, 2022. Notification letters were sent to affected individuals on September 9, 2022. The breach was reported to the HHS’ Office for Civil Rights as affecting up to 318,558 individuals. Individuals whose Social Security numbers were exposed or stolen were offered complimentary credit monitoring services.
The latest lawsuit, filed in Manhattan Federal court on behalf of plaintiff Robert D’Agostini and similarly situated individuals, alleges negligence for failing to adequately protect patient data, breach of implied contract, and violations of New York General Business law. The lawsuit also alleges Empress EMS violated HIPAA.
The lawsuit takes issue with the length of time it took Empress EMS to identify the intrusion – almost 2 months – and the length of time it took to notify affected individuals – more than 7 weeks. The lawsuit alleges Empress EMS unreasonably delayed issuing notifications. It should be pointed out that HIPAA allows regulated entities a maximum of 60 days to issue notifications from the date of discovery of a data breach, but states that notifications should be sent without unreasonable delay.
The lawsuit also claims that key information was omitted from the breach notification letters, specifically that the Hive ransomware gang was behind the attack – a group known to steal and publicly leak stolen data. The Hive group claimed to have stolen more than 100,000 Social Security numbers, which the lawsuit points out is not “a small subset of files.”
The lawsuit claims the plaintiffs and class members have had their privacy violated, their protected health information is in the hands of hackers, their PHI has been publicly leaked, and they face an imminent and ongoing risk of fraud and identity theft. The lawsuit seeks class action status, a jury trial, actual damages (or $50 per class member, whichever is higher), treble damages, and punitive damages. The lawsuit is one of at least 4 complaints that have been filed against Empress EMS over the data breach.
The post New York Ambulance Service Facing Multiple Class Action Lawsuits over Ransomware Attack appeared first on HIPAA Journal.