HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Lamoille Health Partners Facing Class Action Lawsuit Over 58K-Record Data Breach

The Morristown, VT-based healthcare provider, Lamoille Health Partners, is facing a class action lawsuit over a June 2022 ransomware attack that affected almost 60,000 of its patients.

The attack was detected on June 13, 2022, with the investigation confirming the attackers gained access to its network the previous day. Before file encryption, the attackers potentially accessed or acquired documents from its systems that contained names, addresses, dates of birth, Social Security numbers, health insurance information, and medical treatment information.

On or around August 11, 2022, notification letters were sent to affected individuals, and complimentary identity protection and credit monitoring services were offered to patients whose Social Security numbers were potentially stolen. Lamoille Health Partners said the delay in issuing notification letters was due to the length of the investigation to establish which individuals had been affected and the types of information involved. The breach was reported to the HHS’ Office for Civil Rights as affecting 59,381 patients.

As is now common following healthcare data breaches, legal action is being taken by patients who had their protected health information exposed. The lawsuit alleges Lamoille Health Partners failed to implement appropriate safeguards to ensure the confidentiality of the protected health information stored on its systems, in violation of the HIPAA Security Rule. The plaintiff – Patricia Marshall –  says the negligence of Lamoille Health Partners means her sensitive information is in the hands of cybercriminals and she and the class members face an imminent and ongoing risk of identity theft and fraud.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The lawsuit also alleges there was an unnecessary delay in issuing notification letters to affected individuals, even though notification letters were sent within the 60-days allowed by the HIPAA Breach Notification Rule. The lawsuit – Marshall v. Lamoille Health Partners Inc. – was filed in the U.S. District Court for the District of Vermont on September 1, 2022, and seeks compensatory damages for the plaintiff and class members, and injunctive relief, requiring Lamoille Health Partners to implement further security measures to better protect patient data. The plaintiff is represented by Burlington, VT, lawyer Matthew B. Byrne of Gravel and Shea.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.