Class Action Lawsuit Alleges Pruitt Health Ransomware Attack Due to Negligence
Pruitt Health is facing a class action lawsuit over a 2023 ransomware attack that exposed the protected health information of 56,405 patients. Pruitt Health, the operator of 180 care centers in Florida, Georgia, North Carolina, and South Carolina, suffered a ransomware attack on November 2023 that exposed patient data. The NoEscape ransomware group claimed responsibility for the attack and said 1.5TB of data was stolen. The stolen data was uploaded to its data leak site in December 2023; however, the data leak site was taken down before Pruitt Health was able to confirm exactly what data had been stolen.
Pruitt Health concluded that the types of data likely stolen in the attack included patient names, contact information, demographic information, dates of birth, government identification information, Social Security numbers, bank account numbers, health insurance information, and health information. Pruitt Health notified all individuals potentially affected by the attack in May 2024.
A class action lawsuit – Tina Clayton v. PruittHealth Inc.– was filed in the U.S. District Court for the Northern District of Georgia by former Pruitt Health employee Tina Clayton, whose personal information was potentially exposed as a result of the attack. Clayton alleges that the attack was made possible due to the negligence of Pruitt Health, which failed to implement reasonable and appropriate safeguards to prevent unauthorized access to employee and patient data.
Clayton alleges Pruitt Health used computers that were out of date, did not provide employees with training on email security and password protection, and had not developed and implemented procedures for dealing with ransomware attacks. The lawsuit also takes issue with the length of time it took Pruitt Health to notify the affected individuals. Notification letters were not mailed until 6 months after the attack occurred.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Clayton said she can’t be sure whether her data was exposed in the attack; however, was notified about the potential exposure and has had to spend a significant amount of time protecting herself against the misuse of her sensitive data. Since the attack, Clayton claims to have spent around an hour a week monitoring her accounts for fraud and data misuse.
The lawsuit claims Clayton and the class members have suffered injuries as a result of the data breach and now face an imminent and heightened risk of identity theft, medical fraud, and other harms. The lawsuit alleges negligence, breach of fiduciary duty, breach of contract, and unjust enrichment and seeks class action certification, a jury trial, damages, and other relief deemed appropriate by the court. The plaintiff and class are represented by Ainsworth G. Dudley of Dudley Law LLC and Jarrett L. Ellzey and Leigh Montgomery of Ellzey & Associates PLLC.
