One Brooklyn Health Faces Lawsuit Over 235K-Record Data Breach
One Brooklyn Health based in New York City manages three acute care hospitals, namely Interfaith Medical Center, Brookdale Hospital Medical Center, and Kingsbrook Jewish Medical Center. A class-action lawsuit has been filed against One Brooklyn Health associated with a data breach that was uncovered in November 2022.
One Brooklyn Health discovered suspicious activity inside its computer system on November 19, 2022. It secured the network promptly and started a forensic investigation that confirmed intermittent access to its network by an unauthorized third party from July 9, 202 to November 19, 2022. The document analysis lasted until March 21, 2023. One Brooklyn Health sent notification letters on April 20, 2023. The data compromised and possibly stolen during the attack contained names, birth dates, billing and claims information, treatment information, medical record numbers, prescription medications, medical insurance details, and Social Security numbers. Over 235,000 patients were impacted.
On April 26, 2023, the law companies Wittels McInturff Palikovic and Shub & Johns LLC filed a lawsuit on behalf of plaintiff Kiya Johnson and likewise situated persons in the Supreme Court of the State of New York, County of Kings. The lawsuit claims One Brooklyn Health had knowledge about the sensitive patient information it stored and the threat from cybercriminals and the requirement under the Health Insurance Portability and Accountability Act to secure that information. Yet, the healthcare provider failed to put in place reasonable and proper security measures hence enabling unauthorized persons to gain access to its system and steal patient information.
The lawsuit claims the plaintiff and class members had to devote a lot of time and money securing themselves against their protected health information (PHI) being misused and that they still face potential harm and continuing risk of identity theft and fraud. The lawsuit alleges 8 causes of action: negligence per se, negligence (plaintiff and class), breach of confidence, breach of fiduciary duty, intrusion upon seclusion/invasion of privacy, unjust enrichment, breach of implied contract, and New York General Business Law violations.
The lawsuit seeks a jury trial, damages, injunctive relief, restitution, and class action status. Data security practices must also be improved.
Class Action Lawsuit Filed Against 90 Degree Benefits Over 181,500-Record Data Breach
90 Degree Benefits is facing a lawsuit associated with a breach of the PHI of 181,543 persons. An unauthorized system activity that was discovered on or about December 10, 2022 led to a forensic investigation that confirmed unauthorized individuals accessed its systems from December 5, 2022 to December 10, 2022. At that time, the attackers got access to portions of its network that held the names of patients and health plan members, addresses, birth dates, Social Security numbers, medical data, and payment data. Impacted persons received notifications about the breach via mail on or about April 7, 2023.
The lawsuit claims 90 Degree Benefits had known or was aware of the risk of hackers’ attacks, considering the degree to which the healthcare sector was targeted recently, particularly considering 90 Degree Benefits encountered an identical data breach in February 2022. The data breach in February must have made it obvious the insufficiency of its data security measures and the need for improvement. Yet in spite of that previous breach, there was still not enough data security.
The lawsuit claims the plaintiffs have sustained out-of-pocket expenditures and spent time safeguarding against their data misuse, and that the risk of identity theft and fraud will continue for years into the future. Consequently, the plaintiffs and class members will still need to invest time and money to keep themselves safe from fraud indefinitely.
The lawsuit allegations include breach of implied contract, negligence, and breach of the Wisconsin Confidentiality of Health Records Law and Wisconsin Deceptive Trade Practices Act. The lawsuit wants a jury trial, class action certification, damages, repayment of out-of-pocket costs, and injunctive relief, which include encryption of data, adjustments to data retention practices, the enforcement of a detailed data security program, standard third-party security checks/penetration tests, and for the court to forbid 90 Degree Benefits from keeping PHI in cloud-based databases.
The defendants named in the lawsuit are 90 Degree Benefits Inc. and 90 Degree Benefits, LLC and the plaintiffs named in the lawsuit are Steven Greek and Jon Boyajian. The law companies Ademi LLP, Federman & Sherwood, and Murphy Law Firm filed the legal case in the U.S. District Court for the Eastern District of Wisconsin.
Patient Drops Injunction to Compel Healthcare Provider to Pay Ransom
There is an update on the lawsuit filed against Lehigh Valley Health Network. The lawsuit involved a ransomware attack that led to the theft of sensitive patient data and the online exposure of patients’ naked images.
Lehigh Valley Health Network discovered the attack on February 6, 2023, and received a ransom demand from the attacker. The BlackCat ransomware group threatened to expose the stolen information on the internet if the victim does not pay the ransom. Although it is usual for ransomware groups to steal sensitive information and post files when the victim does not respond, the BlackCat ransomware group did more than just extortion by publishing naked patient images to force Lehigh Valley Health Network to give ransom payments. The photos involved were of patients naked from the waist up having radiation oncology treatment. The ransomware group demanded approximately $5 million in ransom payments. Lehigh Valley Health Network did not pay the ransom.
The legal case that was filed in the Court of Common Pleas of Lackawanna County in Pennsylvania claimed that Lehigh Valley Health Network was unable to effectively protect patient information and did not fulfill its responsibilities required by the Health Insurance Portability and Accountability Act (HIPAA). The ransomware group posted naked images of the lead plaintiff, Jane Doe. Jane Doe claims that she did not know the attackers took her photographs.
The lawsuit wants a jury trial, class action status, remedies like damages, refund of out-of-pocket expenses, equitable and injunctive relief, plus a court order requiring Lehigh Valley Health Network to enhance its data security network and provide the plaintiff and class with identity theft protection services.
The plaintiff also wanted her partially naked photos to be removed from the web. Lehigh Valley Health Network cannot do anything about the photographs. Therefore, the plaintiff requested for a court order to make Lehigh Valley Health Network pay the ransom and get the BlackCat group to remove the images from the Internet.
The plaintiff’s legal team argued that the plaintiff is worried that the images can be discovered online by her employer or people at work. Aside from being deeply upsetting, it is a violation of patient privacy. The request to make Lehigh Valley Health Network pay the ransom was the only means to get the images removed from the web.
There are important legal issues raised in connection with the plaintiff’s request. Is the court authorized to compel a defendant to do a potentially illegal action? Though there is no prohibition to pay a ransom under the U.S. law, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) can enforce sanctions on companies that give cyber actors a ransom payment.
Judge Manion asked the plaintiff’s legal team to file a brief supporting their preliminary injunction, particularly giving authority that the court could compel a party to carry out an illegal action or pay an illegal ransom. But the plaintiff made a decision to drop the request for the injunction to compel Lehigh Valley Health Network to give ransom payment on April 18, 2023.