Florida Orthopaedic Institute Facing Class Action Lawsuit Over Ransomware Attack
It is becoming increasingly common for healthcare organizations to face legal action after experiencing a ransomware attack in which patient data is stolen. The Florida Orthopedic Institute, one of the largest orthopedic providers in the state, is one of the latest healthcare providers to face a class action lawsuit over a ransomware attack.
The ransomware attack was detected on April 9, 2020, when staff was prevented from accessing computer systems and data due to the encryption of files. A third-party computer forensics firm was engaged to assist with the investigation and determined on May 6, 2020, that the attackers may have accessed and exfiltrated patient data. A range of sensitive data was potentially compromised including names, dates of birth, Social Security numbers, and health insurance information. Affected patients were notified about the breach on or around June 19, 2020, and were offered complimentary identity theft and credit monitoring services for 12 months. At the time of issuing notifications, no evidence had been found to suggest patient data had been misused.
Attorney John Yanchunis of the law firm Morgan & Morgan recently filed a lawsuit against Florida Orthopedic Institute in Hillsborough County, FL alleging the healthcare provider failed to implement appropriate safeguards to ensure the confidentiality of patient data. He claimed, “Certainly, this information was in the hands of cybercriminals and was being used maliciously.”
The lawsuit alleges the healthcare provider was “lackadaisical, cavalier, reckless, or in the very least, negligent” with respect to maintaining the privacy of its patients, and basic cybersecurity best practices were not followed. In addition to negligence, the lawsuit alleges invasion of privacy, breach of fiduciary duty, breach of implied contract, unjust enrichment, and violation of Florida’s Deceptive and Unfair Trade Practices Act.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
While patients were offered complimentary identity theft protection services, Yanchunis claims that 12 months of coverage is not nearly enough to protect victims, since affected individuals now face an elevated risk of financial harm as a result of the breach for many years to come.
The lawsuit seeks extended credit monitoring for breach victims and at least $99 million in damages on behalf of the current and former patients. The incident was reported to the HHS’ Office for Civil Rights as affecting 640,000 patients.
Update: A $4 million settlement has been proposed to resolve claims related to the data breach.
Other recent ransomware attacks that have resulted in lawsuits include the attack on DCH Health System and BST & Co CPAs LLC. Grays Harbor Community Hospital recently proposed a $185,000 settlement to resolve a potential class action lawsuit filed on behalf of a victim of the breach.