HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Einstein Healthcare Network Facing Class Action Lawsuit over 2020 Phishing Attack

The Philadelphia-based health system, Einstein Healthcare Network, is facing a class action lawsuit over an August 2020 phishing attack that resulted in multiple employee email accounts being accessed by an unauthorized individual.

Einstein Healthcare is a non-profit health system that operates four hospitals – Einstein Medical Center Philadelphia, Elkins Park Hospital, MossRehab in Elkins Park, and Einstein Medical Center Montgomery –   and multiple outpatient and primary care clinics throughout the greater Philadelphia area.

The investigation into the breach determined the email accounts were subjected to unauthorized access for 12 days between August 5 and August 17, 2020. A review of the compromised email accounts revealed they contained the protected health information of 353,616 patients, including names, dates of birth, account/medical record numbers, medical information such as diagnosis and treatment information and, for some individuals, Social Security numbers and health insurance information.

Patients affected by the breach were notified by mail starting October 9, 2020 while the incident was still being investigated, then further notifications were sent to patients between January 21 and February 8, 2021 when it became clear that more individuals had been affected.

Please see the HIPAA Journal Privacy Policy

Following the breach, the health system implemented additional security measures to prevent further breaches and retrained the workforce on how to identify suspicious emails. Individuals whose Social Security number was exposed were offered complimentary credit monitoring and identity theft protection services for 12 months.

The lawsuit was filed by law firm Morgan & Morgan with Einstein Healthcare patient Nanette Katz of Blue Bell, PA named as lead plaintiff.  The lawsuit alleges Einstein Healthcare failed to secure and safeguard the protected health information of patients and had not implemented or followed basic security procedures. As a result of that negligence, the lawsuit alleges sensitive patient information is now in the hands of cybercriminals and patients now face a substantial risk of identity theft. As a result of the breach, patients have had to spend, and will continue to have to spend, a significant amount of time and money protecting themselves against identity theft and fraud.

The lawsuit also alleges the healthcare provider failed to provide timely notifications to patients, with the lead plaintiff first receiving notification about the breach in January 2021, more than 6 months after the breach and alleged theft of her PHI. The lawsuit says the breach response was “untimely and woefully deficient, failing to provide basic details concerning the data breach.”

The lawsuit seeks monetary damages for the patient and class members, requests the courts order the health system to fully disclose details of the nature and extent of data compromised, and requires the health system to implement reasonably sufficient safeguards to prevent further data breaches in the future.

It is now relatively common for patients affected by data breaches to take legal action when their personal and protected health information is exposed or stolen; however, for these cases to succeed, victims of the data breach generally need to provide evidence that they have suffered harm. Many lawsuits are dismissed as the claims are deemed too speculative.

The nature of the harm and injuries suffered must also be sufficient to warrant damages. A recent lawsuit filed by a victim of an Envision Healthcare data breach – Pruchnicki v. Envision Healthcare Corp.- has recently been dismissed by the U.S. Court of Appeals for the Ninth Circuit.

In that case, the alleged harm and injuries were for time spent dealing with the breach, stress, nuisance, and annoyance from dealing with the aftereffects of the breach, worry, anxiety, and hesitation when applying for new credit cards, imminent and impending injury of potential fraud and identity theft, and diminution in value of the plaintiffs personal and financial information. The allegations of harm were sufficient for the District Court for standing purposes but were insufficient for compensable damages to be awarded.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.