Two patients have filed a lawsuit seeking class-action status against a medical group after the physician’s group announced that it would be notifying 600,000 patients that their personal information may have been compromised during a July cyber attack. The lawsuit alleges that the medical group did not do enough to protect patients’ personal information and didn’t alert the patients quickly enough about the breach.
In mid-July the medical group experienced a computer and phone outage that lasted nearly one week. Following the outage, the medical group worked with cyber-forensic specialists to investigate the incident. It was determined that the incident was caused by “unauthorized actors” who accessed its network between July 12 and July 13, 2021. Additionally, the investigators determined that certain files containing patient information may have been exposed. The compromised data may have included names, addresses, dates of birth, diagnosis codes, codes identifying medical procedures, and treatment dates. A small number of people may have had their social security numbers compromised also.
The complaint alleges, “As a result of the data breach, plaintiffs and class-action members have been exposed to a heightened and imminent risk of fraud and identity theft.” A partner with the law firm representing the plaintiffs stated that the situation is especially threatening for patients because of the types of information that may have been compromised and because of the fact that the information was potentially exposed as part of a cyber attack, rather than by accident.
The medical group said it is offering free credit monitoring and identity theft protection services to patients who may be affected. It has also stated that the affected patients can call a toll free number for more information, but the lawsuit alleges that when the number was called by the two plaintiffs on September 1, 2021, they were not told whether they were affected by the breach, and to wait for a letter in the mail.
When asked why patients haven’t been able to get information from the toll free number, the medical group said in a statement on September 1, 2021, that if people don’t get the information they want through the call center, that their requests are provided to the medical group to be addressed. People whose information was not compromised in the breach will not receive letters.
The plaintiffs are seeking damages, reimbursement of out-of-pocket costs, and improvements to the medical group’s data security systems, among other things.
Issue:
The healthcare sector is now one of the largest victims of ransomware due to its vulnerability to confidentiality and the critical nature of online patient records. It is imperative that all nursing facilities become proactive in preventing ransomware attacks to avoid data breaches which are reportable in terms of the Health Insurance Portability and Accountability Act (HIPAA). Nursing facility leaders and the Privacy Officer should be aware of the new tactics that are being used in malicious ransomware attacks and provide training to all staff with access to electronic medical records, email, or internet on best practices to prevent a ransomware attack. Additional information is available in the Med-Net Corporate Compliance and Ethics Manual, Chapter 6 Data Integrity.
Discussion:
- Review facility policies and procedures on cybersecurity. Ensure that policies are kept current based on best practices designed to prevent ransomware attacks.
- Train all appropriate staff on best practices to prevent the introduction of malware into their electronic records system. Document that the trainings occurred and file in each employee’s education file. Provide additional training as new information becomes available.
- Periodically audit to ensure that staff are knowledgeable and utilizing best practices in preventing ransomware attacks.
