LifeBridge Health Sued for 18-Month Malware That Allowed Theft of 530,000 Patients’ PHI

A lawsuit has been filed on behalf of patients who had their protected health information stolen as a result of a malware infection at the Baltimore-based healthcare provider LifeBridge Health.

LifeBridge Health discovered the malware infection in March 2018; however, an investigation of the breach revealed the malware had been installed on one of its servers on or around September 27, 2016. The server hosted LifeBridge Health electronic medical records and its patient registration and billing systems.

During the 18 months that the malware was on its server, the protected health information of approximately 530,000 patients was allegedly stolen – Information such as names, addresses, dates of birth, Social Security numbers, health insurance information, diagnoses, and treatment information.

According to the lawsuit, filed by law firm Murphy, Falcon & Murphy, the malware was installed as a result of “LifeBridge’s failure to ensure the integrity of its servers and to properly safeguard patients’ highly sensitive and confidential information.”

The lawsuit claims the breach was the result of “a serious lack of judgement and oversight” on the part of LifeBridge Health for failing to implement appropriate safeguards to protect patients’ PII and PHI, and for allowing hackers to “freely roam its systems” for 18 months before the breach was discovered. Following the discovery of the breach.

The lawsuit claims the breach exposed patients to serious harm and that the conduct of LifeBridge Health violated many privacy protection statutes in Maryland, including the Maryland Personal Information Protection Act, the Maryland Social Security Number Privacy Act, and the Maryland Consumer Protection Act.

“This data breach has compromised every aspect of these patients’ personal identities and has subjected them to significant harm,” said Hassan Murphy, Managing Partner at Murphy, Falcon & Murphy.

While hackers gained access to sensitive patient information, it is currently unclear how many of those patients have suffered financial losses as a result of the breach. Something which will no doubt have to be proven if the lawsuit is to succeed.

Two defendants named in the lawsuit, Jahima Scott and Darlene Johnson, claim their identities were stolen and they became victims of credit card fraud shortly after the breach occurred. The plaintiffs are seeking damages in excess of $30,000.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.