HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Class Action Lawsuit Filed Against US Fertility Over September 2020 Ransomware Attack

US Fertility is facing a class action lawsuit over a September 2020 ransomware attack and data breach that affected 878,550 individuals.

US Fertility provides IT platforms and administrative, clinical, and business information services, and is one of the largest providers of support services to infertility clinics in the United States. On September 14, 2020, US Fertility discovered ransomware had been used to encrypt files on its network. The investigation revealed the threat actors behind the attack exfiltrated files between August 12 and September 14, 2020, some of which contained protected health information.

The types of data obtained by the hackers included names, addresses, dates of birth, driver’s license and state ID numbers, passport numbers, medical treatment/diagnosis information, medical record information, health insurance and claims information, credit and debit card information, and financial account information.

The class action lawsuit, brought by Plaintiffs Alec Vinsant and Marla Vinsant, alleges US Fertility failed to implement adequate data security measures which caused them to suffer irreparable harm and placed them at an increased risk of identity theft and fraud.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The harm suffered by the breach victims that the lawsuit seeks to address includes the theft of personal data and its exposure to cybercriminals, unauthorized charges on credit/debit card accounts, costs associated with the detection and prevention of identity theft and unauthorized use of financial accounts, damages due to accounts being suspended or rendered unusable, inability to withdraw funds, costs and time associated with mitigating the breach and preventing future negative consequences, and imminent and impending injury from potential fraud and identity theft as a result of personal information being sold on the dark web.

Class action lawsuits often allege harm, although in many cases the lawsuits fail as the plaintiffs are unable to provide evidence of injuries or losses sustained as a direct result of the data breach. That was the case with the proposed class action lawsuit against Brandywine Urology, which was recently dismissed by the Delaware Superior Court. Whether the lawsuit succeeds is likely to depend to a large extent on whether the plaintiffs can provide sufficient evidence that they have suffered actual harm due to the ransomware attack and data breach.

Plaintiff Alec Vinsant alleges someone used his Social Security number to fraudulently apply for unemployment benefits in Nevada one month after the data breach occurred and plaintiff Marla Vinsant said her credit score had unexpectedly fallen by 50 points following the attack.

The lawsuit alleges US Fertility was on notice that the healthcare industry was being targeted by ransomware gangs and was aware of the need to encrypt data, yet failed to do so, and US Fertility failed to comply with Federal Trade Commission requirements for data security. The lawsuit alleges negligence, breach of implied contract, unjust enrichment, and violations of the Nevada Deceptive Trade Practices Act.

The lawsuit seeks class action status, a jury trial, damages for plaintiffs and class members, reimbursement of out-of-pocket expenses and legal costs, and other relief. The lawsuit also requires US Fertility to implement proper data security policies and practices including encryption of sensitive data, deletion or destruction of class members PII, proper network segmentation, penetration tests, to provide further security awareness training for the entire workforce, and to undergo third-party security audits, database scanning, and firewall tests.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.