Share this article on:
It is becoming increasingly common for healthcare organizations to face legal action after experiencing a ransomware attack in which patient data is stolen. The Florida Orthopedic Institute, one of the largest orthopedic providers in the state, is one of the latest healthcare providers to face a class action lawsuit over a ransomware attack.
The ransomware attack was detected on April 9, 2020 when staff were prevented from accessing computer systems and data due to the encryption of files. A third-party computer forensics firm was engaged to assist with the investigation and determined on May 6, 2020 that the attackers may have accessed and exfiltrated patient data. A range of sensitive data was potentially compromised including names, dates of birth, Social Security numbers, and health insurance information. Affected patients were notified about the breach on or around June 19, 2020 and were offered complimentary identity theft and credit monitoring services for 12 months. At the time of issuing notifications, no evidence had been found to suggest patient data had been misused.
Attorney John Yanchunis of the law firm Morgan & Morgan recently filed a lawsuit against Florida Orthopedic Institute in Hillsborough County, FL alleging the healthcare provider failed to implement appropriate safeguards to ensure the confidentiality of patient data. He claimed “Certainly, this information was in the hands of cybercriminals and was being used maliciously.”
The lawsuit alleges the healthcare provider was “lackadaisical, cavalier, reckless, or in the very least, negligent” with respect to maintaining the privacy of its patients and basic cybersecurity best practices were not followed. In addition to negligence, the lawsuit alleges invasion of privacy, breach of fiduciary duty, breach of implied contract, unjust enrichment and violation of the Florida’s Deceptive and Unfair Trade Practices Act.
While patients were offered complimentary identity theft protection services, Yanchunis claims that 12 months of coverage is not nearly enough to protect victims, since affected individuals now face an elevated risk of financial harm as a result of the breach for many years to come.
The lawsuit seeks extended credit monitoring for breach victims and at least $99 million in damages on behalf of the current and former patients.
The incident has yet to appear on the breach portal maintained by the HHS’ Office for Civil Rights so it is currently unclear how many patients have been affected by the attack. According to the lawsuit, at least 100,000 patients were affected and potentially more than 150,000.
Other recent ransomware attacks that have resulted in lawsuits include the attack on DCH Health System and BST & Co CPAs LLC. Grays Harbor Community Hospital recently proposed a $185,000 settlement to resolve a potential class action lawsuit filed on behalf of a victim of the breach.