The patients impacted by the ransomware attack on Elekta filed a lawsuit against the third-party vendor, alleging a number of patient safety concerns caused by the disruption of its cloud data systems brought on by the April security incident.
Elekta is a third-party vendor of radiation therapy, radiosurgery, and clinical management services for cancer treatment providers. The lawsuit seeks injunctive relief and an assessment of Elekta’s security controls to ensure the tools are adequately protecting protected health information.
Intermountain Healthcare and Advocate Aurora Health have since been added to the growing list of impacted entities, which includes service disruptions for 40 health systems and the compromise of patient data for at least 170 health care organizations.
A cyberattack against Elekta’s cloud-based storage system on April 6 forced some providers to cancel a number of radiation treatment appointments, due to the network outages. Recent breach notifications from impacted providers show that the ransomware attack was not the only incident for Elekta in April.
While the initial attack was isolated to a subset of U.S. cloud customers due to its geographical and service segmentation, some of Elekta’s health care clients were driven offline during the incidents. Other impacted providers reported that their data was possibly stolen during the attacks.
The lawsuit filed against Elekta on July 16 focuses on the impact to Northwestern Memorial HealthCare, which reportedly affected 201,197 patients.
A patient of Northwestern is seeking a class-action filing, reporting that her data was among the data compromised and possibly stolen during the April security incidents. The data included Social Security numbers, dates of birth, health insurance details, medical record numbers, demographic details, insurance cards, and other sensitive information.
The lawsuit alleges that Elekta failed to adequately secure protected health information collected from its clients, which poses a risk to identity theft, exposure on the dark web, potential fraud, and other data-related risks.
The breach victims also allege Elekta failed to timely notify patients of the potential data theft. The lawsuit seeks to address any inadequacies in Elekta’s security policies and procedures, as well as whether the vendor took adequate steps to determine the extent of the breach after it was discovered.
“[Elekta] was required to design, maintain, and test their security systems to ensure that these systems were reasonably secure and capable of protecting the personally identifiable information and protected health information of [patients],” according to the lawsuit.
“[Elekta] further owed to [patients] a duty to implement systems and procedures that would detect a breach of their security systems in a timely manner and to timely act upon security alerts from such systems,” it added.
Further, the vendor’s delayed response to the security incident caused treatments to be delayed for a number of patients across the U.S.
Although the care disruptions are briefly mentioned in the lawsuit, the allegations centered around the data theft and PHI compromise. A Supreme Court decision on the Sergio Ramirez v. TransUnion case in June concluded only individuals “concretely harmed” by a breach violation have standing to seek damages against an entity.
As a result, the lawsuit against Elekta will need to provide actual evidence of harm.
Elekta hit with two security incidents, including possible data theft
Elekta’s investigation into the incident found that the PHI belonging to some of its clients was accessed during the attack. The vendor notified all impacted entities that it was considering all of the data in its cloud system as compromised, as the investigation is ongoing.
The affected entities include Renown Health, Northwestern Memorial HealthCare, LifeSpan, and Yale New Haven, among a host of other large U.S. health care providers.
The Intermountain notice shows the attackers were able to access data on Elekta’s system for two weeks between April 6 and April 20. The incident only impacted four of Intermountain’s specialty clinics in southern Nevada that use Elekta for patient care purposes.
The investigation could not confirm what information was accessed or viewed by the attacker. But the data present on the server included patient names and scanned image files, which contained SSNs, dates of birth, demographic details, insurance cards, and other identification. No financial account or payment cards were compromised.
Advocate Aurora uses Elekta for the care coordination of its radiation services and therapies in seven of its Illinois care sites. The notice reported the Elekta attack did cause minimal patient disruptions due to the system outage, brought back online in mid-April.
However, Elekta experienced another security incident during that time frame which caused the vendor to again terminate use of the cloud system in late April. Elekta then moved Advocate Aurora’s data onto a newer IT platform.
However, the mid-April incident enabled the potential access and data theft of Advocate Aurora’s patient data. Elekta could not confirm just what data was compromised, and instead contacted all patients whose data was contained in the impacted server.
The affected data from Advocate Aurora could include patient names, SSNs, contact details, dates of birth, physical descriptions, driver’s licenses, diagnoses, medical treatments, appointment confirmations, and other patient-related information. No financial or credit card information was impacted. About 68,707 patients were notified their data was compromised.
The Elekta incident is among the ongoing vendor-related supply chain attacks currently behind some of the health care sector's largest incidents and the ongoing supply chain attacks against U.S. critical infrastructure entities.