New York Accounting Firm Facing Class Action Lawsuit Over Maze Ransomware Attack

Patients whose protected health information was stolen in a manual ransomware attack on the New York accounting firm BST & Co. CPAs LLC in late 2019 have taken legal action against the company.

The lawsuit alleges BST & Co. was negligent for failing to take appropriate and reasonable steps to prevent the attack and did not provide a prompt an accurate notice to affected patients. The lawsuit also alleges the company breached its fiduciary duty to protect sensitive patient information and violated state laws related to deceptive business practices.

The ransomware attack was discovered by BST on December 7, 2019. The attack involved Maze ransomware and, prior to file encryption, the gang exfiltrated a range of data from the company and threatened to publish the data if the ransom was not paid. The gang then follow through with the threat and published sensitive data on its website when payment was not made.

According to the breach report submitted to the Department of Health and Human Services’ Office for Civil Rights, the PHI of 170,000 individuals was potentially compromised in the attack, many of whom were patients of Community Care Physicians. Even though patient data had been published online where it could be accessed by anyone, BST waited until February 14, 2020 to send notification letters to patients.

The lawsuit was filed in New York’s supreme court on May 27, 2020 and class action status is being sought. The lawsuit alleges BST & Co. “intentionally, willfully, recklessly, or negligently failed to take adequate and reasonable measures to ensure its data systems were protected against unauthorized intrusions,” and states its computer systems and security practices were not adequately robust.

The lawsuit also alleges BST and its staff were not properly monitoring the computer network and systems that contained sensitive patient information. Were that to be the case, the attack would have been identified sooner. The lawsuit claims that as a result of the failures of the company, patient data is now in the hands of data thieves and patients’ identities are now at risk.

The lawsuit seeks compensatory damages, reimbursement for out-of-pocket-expenses, the provision of adequate credit monitoring services, and calls for improvements to be made to the company’s security systems to ensure further breaches are prevented in the future.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.