In the last week, the patients impacted by the data breaches reported by Dupage Medical Group and Massachusetts-based Sturdy Memorial Hospital have filed two separate lawsuits, alleging a range of complaints and insecure data practices.
The Sturdy Memorial class-action lawsuit was filed on Aug. 26, although the ransomware attack and data theft was first reported in May. For Dupage Medical, the lawsuit was filed by the lawyers of two patients on behalf of the other 655,000 breach victims on Sept. 2
Sturdy Memorial Hospital
On February 9, a cyberattack disrupted hospital operations and the IT system, but the hospital was able to secure the network the same day of the attack with assistance from a third-party forensics team.
At the time of the breach notice, hospital officials reported threat actors stole patient information from its network prior to deploying the ransomware. Further, a ransom was paid to the attackers “with assurances that the information acquired would not be further distributed and that it had been destroyed.”
The investigation determined the exfiltrated data contained a host of patient information, including data from previous Sturdy Memorial partners, such as Harbor Medical Associates, South Shore Medical Center, and South Shore Physician Hospital Organization.
The threat actors did not hack into the electronic health record but other servers that contained highly sensitive patient data, including Social Security numbers, credit card information, Medicare numbers, treatments, diagnoses, government identification, contact details, and more. The incident impacted a total of 57,379.
Although the incident was discovered in February, the investigation did not conclude a breach occurred until more than two months later on April 21. The breach notice was not sent until more than 30 days later, more than three months after the initial attack and exfiltration.
Those delays are part of the allegations outlined in the lawsuit.
Filed in the Plymouth County Superior Court of Massachusetts, the breach victims assert that Sturdy “breached its duties, and thus was negligent, by failing to use reasonable measures to protect personally identifiable information.”
The lawsuit argues that failing to timely notify patients about the incident put the individuals at risk, while preventing their ability to make timely and appropriate steps to mitigate the risk of identity theft and other damages.
Sturdy Memorial is also accused of failing to adopt and maintain adequate security measures to safeguard private information, as outlined in the hospital’s privacy practices, along with failing to monitor its network and system security.
“It was foreseeable that [Sturdy Memorial’s] failure to use reasonable measures to protect [patients’] PII would result in injury to [individuals],” the lawsuit claims. “Further, the breach of security was reasonably foreseeable given the known high frequency of ransomware attacks and data breaches.”
Also notable, the lawsuit argues that as the victims “conferred a monetary benefit” to the hospital, Sturdy Memorial had a duty to safeguard patient data and “instead unjustly enriched itself by failing to make the expenditures.”
The breach victims are seeking a jury trial and asking for compensatory and consequential damages, which are estimated to exceed $50,000.
Dupage Medical Group (DMG)
Days after notifying more than 655,000 patients of a potential data breach, the victims filed a lawsuit against the Chicago-based independent physicians group for alleged negligence, breach of contract, and violation of the Illinois Consumer Fraud and Deceptive Business Practices Act.
As reported on Aug. 31, DMG was hit with a cyberattack on July 12 and July 13 that resulted in the compromise of some patient-related information. The incident disrupted the network for several days, which a later investigation determined was caused by threat actors gaining access to certain portions of the network.
The compromised data was limited to patient names, contact details, treatment dates, diagnosis codes, and Current Procedural Terminology (CPT) codes tied to procedures. This type of data is commonly used by cybercriminals in fraud attempts. Some SSNs were compromised for a smaller subset of patients, but no financial data was affected during the incident.
Despite reporting the breach within the 60-day timeframe set out in The Health Insurance Portability and Accountability Act, the lawsuit argues DMG failed to provide timely and adequate notice.
The lawsuit also claims that DMG’s discovery of the hack was delayed, despite finding the attackers on the network within 24-hours. Compared to other massive data breaches reported in the health care sector that went unnoticed for more than a year, DMG’s response time appears to be ahead of the curve.
The breach victims assert they’re now at “heightened and imminent risk of fraud and identity theft… “and will continue to incur out-of-pocket costs for, e.g., purchasing credit monitoring services, credit freezes, credit reports, or other protective measures to deter and detect identity theft.” DMG did provide all impacted individuals with free credit monitoring and identity theft protection.
The lawsuit is seeking compensatory damages and reimbursement of out-of-pocket costs, as well as requirements for DMG to improve its data security systems and to adhere to future annual audits.