Patient Sues Eskenazi Health Over Ransomware Attack After Misuse of Her Data

An Eskenazi Health patient whose protected health information was stolen in an August 2021 ransomware attack is suing the healthcare provider over the data breach.

It is now common for ransomware gangs to exfiltrate sensitive data prior to using ransomware to encrypt files. The stolen data is used to threaten victims to encourage payment of the ransom, as was the case in the Eskenazi Health ransomware attack. Indianapolis, IN-based Eskenazi Health discovered the attack in early August and immediately shut down its computer systems in an attempt to prevent further unauthorized access and contain the attack. The healthcare provider took the decision to divert ambulances and cancel certain appointments as a safety measure while its electronic medical record system was offline.

The investigation into the breach determined its systems had first been compromised in May and files containing sensitive patient data had been exfiltrated from its systems. Notification letters started to be sent to affected patients in early November and patients were informed of the data theft and were offered complimentary identity theft protection and credit monitoring services. At the time of issuing notifications, there had been no reports of any misuse of patient data, although some patient data had been published on the gang’s data leak site. The breach report submitted to the HHS’ Office for Civil Rights in early October indicates 1,515,918 patients were affected by the breach.

Eskenazi Health said the stolen data related to employees, providers, patients, former patients, and vendors and included names, addresses, telephone numbers, email addresses, dates of birth, medical record numbers, patient account numbers, diagnoses, clinical information, physicians’ names, insurance information, prescriptions, driver’s license numbers, passport numbers, face photographs, Social Security numbers, and credit card information.

Eskenazi Health patient Terri Ruehl Young was one of the individuals impacted by the data breach. In her lawsuit Young claims a fraudulent charge of $370 was applied to the credit card she used to pay for her treatment and her Equifax credit report showed an attempt to change her name.

The lawsuit alleges patients placed their trust in Eskenazi Health to secure its systems and protect patient data, but the healthcare provider betrayed that trust by failing to implement up-to-date security practices and appropriate safeguards to protect patient data. The lawsuit alleges negligence, breach of contract, and unjust enrichment.

The lawsuit also takes issue with the length of time it took Eskenazi Health to notify patients about the data breach. The lawsuit claims that notification letters were sent more than 6 months after hackers first breached its systems, and 3 months after the breach was discovered by Exkenaki Health. The HIPAA Breach Notification Rule requires notifications to be issued within 60 days of the discovery of a data breach.

The lawsuit, which was filed by Cohen and Malad and John Steinkamp & Associates, seeks class action status and requests a jury trial. A spokesperson for Eskenazi Health said the lawsuit has yet to be formally served.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.