Atlanta Women’s Health Group Sued Over 2023 Ransomware Attack
Atlanta Women’s Health Group is facing a class action lawsuit over an April 2023 cyberattack that saw an unauthorized third party gain access to its servers and the sensitive data of tens of thousands of its patients. Atlanta Women’s Health Group discovered the attack on April 12, 2023, and its forensic investigation confirmed that patients’ protected health information had been exposed. The types of information involved included names, dates of birth, patient ID numbers, and other information that may be contained in medical records. It was not possible to determine the exact types of information that were accessed or acquired, so notifications were sent to all individuals who had potentially been affected.
A lawsuit – M.T., vs. Atlanta Women’s Health Group P.C. – was filed in the U.S. District Court for the Northern District of Georgia Atlanta Division that alleged the OB/GYN healthcare provider had implemented inadequate data security measures and breached its duties imposed by law. As a result of those failures, unauthorized individuals were able to gain access to its network and steal highly sensitive patient data. Had appropriate cybersecurity measures been implemented, the cyberattack and data breach could have been avoided.
The lawsuit also alleged that while the Department of Health and Human Services’ Office for Civil Rights was notified about the breach within 60 days of discovery, it took Atlanta Women’s Health Group 10 months to issue email notifications to the plaintiff and class members about the attack and did not explain the reason for the delay. The letters stated that all patients were notified about the attack out of an abundance of caution; however, if that is the case, there was no reason to wait 10 months to send the notifications. The lawsuit also stated that the notification letters did not explain when the attack occurred, only when it was detected, and that while Atlanta Women’s Health Group claimed to have obtained evidence that the hackers had deleted the stolen data, the practice has no proof that the data has been permanently erased and copies of that data have not been made by the attackers.
The lawsuit claims the plaintiff and class members have been “exposed to a present injury in the form of actual misuse of their PII and PHI and have further been exposed to an ongoing substantial, heightened, and imminent risk of financial fraud and identity theft for years to come,” and that they have “suffered numerous actual and concrete injuries and damages.” The lawsuit alleges breach of fiduciary duty, negligence, negligence per se, and invasion of privacy/intrusion upon seclusion and seeks class action certification, a jury trial, and declaratory and injunctive relief. The plaintiffs are represented by MaryBeth V. Gibson of the Gibson Consumer Law Group, LLC; Todd McClelland of Sterlington, PLLC; Michael Sullivan, David H. Bouchard, and Gabriel Knisely of Finch McCranie, LLP.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy