A ransomware attack earlier this year against a Massachusetts hospital has led to a class action lawsuit that seeks unspecified damages on behalf of all patients affected by the attack. It’s yet another example of unanticipated consequences related to cyberattacks and follows news of a similar lawsuit filed in Ireland after a ransomware attack on Ireland’s National Health Executive led to the breach of sensitive patient data.
The lawsuit was filed by attorneys representing Barbara Kagan Bennett, one of tens of thousands of people whose personal patient information became compromised in the attack. The lawsuit contends that the hospital should have taken better precautions to prevent cyber attackers from accessing and stealing sensitive patient data, and lawyers for the plaintiff are seeking unspecified damages.
The Attack
On February 9, Sturdy Memorial Hospital said in a breach notice that an unauthorized individual had accessed and stolen patient data, according to a report earlier this year in HIPAA Journal. The attacker issued a ransom demand in return for a promise not to publish or sell the patient data stolen in the attack. The hospital decided to pay an unspecified ransom and were told the stolen data would be permanently destroyed.
Forensics investigators reviewed the attack in April and determined the extent of the breach and which kinds of data might have been breached. Patients were notified the following month. Stolen health data included not only Sturdy Memorial patients, but also those from affiliates Harbor Medical Associates, South Shore Medical Center, and partners associated with South Shore Physician Hospital Organization.
Recent studies show that cybercriminals have increasingly targeted outpatient facilities and third-party affiliates, whose cybersecurity practices are often not as advanced as larger organizations. The Sturdy Memorial attack exposed sensitive data that might have included Social Security and driver’s license numbers, banking account and routing numbers, and credit card information, according to the hospital’s breach notification.
The Litigation
Attorneys for the complainant have argued that the hospital is liable for failing to secure personal patient data from unauthorized access and theft. In addition, attorneys have taken issue with the two years of free credit monitoring offered by the hospital. Misuse of patient data is likely to result in consequences that last much longer than two years, and such monitoring does not represent adequate compensation for a data breach.
Protected Health Information (PHI) is among the most heavily regulated in the United States. Failure to comply with strict guidelines laid down by HIPAA legislation can have dire consequences. Civil penalties can lead to fines of up to $1.5 million. Criminal penalties can result in up to 10 years in prison. This is to say nothing about possible damage to institutional reputation if patients lose confidence that their personal data will not be safely protected.
SecureDrives Protect PHI
A growing number of healthcare providers have turned to SecureData for advanced data security solutions that help maintain compliance with HIPAA regulations and ensure sensitive patient data is safe within care facilities and in transit. Doctors often work in multiple locations, and they need to access records on the go.
This was the case with two Ohio-based healthcare providers. Both Western Reserve Hospital and Crystal Clinic Orthopaedic Center needed to strengthen their data storage strategies. They needed to ensure that all portable drives coming in and out of their facilities were encrypted, and that drives could be remotely managed by IT administrators.
SecureDrive BT and SecureUSB BT external drives are FIPS-validated to meet the highest standards for data security. They also feature military-grade hardware encryption. Users authenticate via a secure mobile app and Bluetooth connection. Users can also leverage the biometric authentication features of their smartphones or smartwatches for additional security.
Our BT product line comes remote management-ready out of the box. A subscription to our Remote Management Console gives IT administrators total control over where, when, and how drives can be accessed through geo- and time-fencing technology. Administrators can also log all drive activity and remotely wipe all data in case a drive is lost or stolen.
.png){kind=small}
