Elekta Faces Class Action Lawsuit over Ransomware Attack and Data Breach

A lawsuit has been filed on behalf of a former patient of Northwestern Memorial HealthCare (NMHC) against Elekta Inc. over its April 2021 ransomware attack and data breach.

Elekta, a Swedish provider of radiation medical therapies and related equipment data services, is a business associate of many U.S. healthcare providers. Hackers targeted the company’s cloud-based platform that is used to store and transmit healthcare data and were able to access the platform between April 2 and April 20, 2021. The breach was detected when the hackers deployed ransomware.

Elekta reported the attack as affecting a small percentage of its cloud customers in the United States, including NMHC. The entire oncology database of NMHC was compromised in the attack. The database contained the protected health information of 201,197 cancer patients including names, dates of birth, Social Security numbers, and healthcare data. In total, the attack affected 170 of its healthcare clients.

The lawsuit was filed in the U. S. District Court for the Northern District of Georgia on behalf of Deborah Harrington and others similarly affected by the ransomware attack. The lawsuit alleges the disclosure of protected health information was preventable, with the data breach occurring as a result of Elekta failing to implement sufficient cybersecurity policies and procedures. As a result, hackers were able to gain access to its platform and copy the sensitive data of patients.

The lawsuit alleges Elekta was negligent and failed to honor its duties to maintain adequate data security systems to reduce the risk of data breaches, adequately protect PHI on its systems, and properly monitor its data security systems for existing intrusions. It is also alleged that Elekta did not ensure agents, employees, and others with access to sensitive information employed reasonable security procedures.

The lawsuit claims Harrington and the class members have suffered damages and actual harm as a direct result of the cyberattack and they now face an increased risk of identity theft and fraud and must undertake additional security measures to protect themselves against harm.

The alleged harm suffered by Harrington and the class members includes imminent risk of future identity theft, lost time and money expended to mitigate the threat of identity theft, diminished value of personal information, and loss of privacy.

The lawsuit seeks damages, reimbursement of out-of-pocket expenses, legal costs, injunctive relief, and other and further relief as deemed appropriate by the courts.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.