Yet another healthcare provider has been sued by a patient following a cyberattack and subsequent data breach. One of the patients affected by the June University of Florida Health security incident filed a lawsuit late last week, alleging the health system failed to protect patient data and held onto patient information long after it was needed.
The lawsuit stems from a May 31 cyberattack, which led two UF Health care sites to shut down its electronic health record and other connected systems to reduce the impact as the security team investigated the incident.
The outages at The Villages Regional Hospital and Leesburg Hospital lasted until June 25, which included access to system platforms between all UF Health hospitals and the UF campus. All care documentation and processes were done with pen and paper during the outage.
In August, UF Health confirmed that the attackers had access to the network as early as two days prior to the attack. During that time, it’s possible the actors gained access to patient data, including Social Security numbers, health insurance details, contact information, treatment data, and other sensitive information.
The lawsuit was first filed in state court on Sept. 15 and removed to the U.S. District Court of the Florida Middle District on Oct. 14. Surprisingly, the lawsuit focuses on the data breach, rather than the monthlong outage.
The breach victim alleges the ransomware attack was caused as a direct result of UF Health failing to adequately protect the health information of former and current patients, as well as “failing to follow applicable, required and appropriate protocols, policies and procedures regarding the encryption of data, even for internal use.”
UF Health is also accused of failing to implement effective security hardware to protect patient health information with effective and reasonable measures. The lawsuit further purports that as long as UF Health continues to employ the same, alleged, substandard security measures, patient data will continue to be at risk.
The lawsuit lists a host of security measures recommended by the government that UF Health should have implemented to prevent the ransomware attack, including effective software update and patch management processes.
As a result of UF Health’s alleged breach of contract and negligence, the breach victims “have suffered and will continue to suffer ongoing, imminent, and impending threat of identity theft crimes, fraud, and abuse, resulting in monetary loss and economic harm… the illegal sale of the [and] compromised data on the dark web.”
Further, the patient alleges she suffered “actual injury in the form of damages to and diminution in the value of her PII and PHI — a form of intangible property that… [the patient] entrusted to UFHCF for the purpose of her treatment, which was compromised.”
The lawsuit “contains no allegations that would support or suggest the amount in actual damages” to which the breach victims would be entitled. Instead, the patient is seeking recovery for time and money spent on efforts associated with preventing fraud, identity theft, and other potential actions the attackers could take.
The breach victim is asking the court to determine a number of questions not detailed in the UF Health breach notification, including whether the provider remediated the vulnerabilities that led to the breach and the state of UF Health’s security.
The lawsuit joins a number of similar healthcare breach-related lawsuits filed in the last few months. With the Supreme Court decision in June that requires victims to provide concrete evidence of harm, it’s unclear how the case will proceed.
For example, even before the Supreme Court ruling, a Delaware Supreme Court judge dismissed a similar lawsuit against Brandywine Urology Consultants in February as the victims failed to provide evidence of injuries or losses caused by the security incident in question.
“Delaware courts have not addressed the question of whether the imminent risk of future harm from a data breach constitutes an injury-in-fact sufficient to confer standing. [Brandywine] argues that it does not,” the judge explained at the time of the Brandywine ruling.
“Various federal courts have held that a plaintiff lacks standing to sue the party who failed to protect its data — in a lost data or potential identity theft case — where there is no proof of actual misuse or fraud,” he added. “Although some lower courts have disagreed, those courts still require a plaintiff to allege a ‘credible threat.’”