Slew of Lawsuits Filed Over Recent Healthcare Data Breaches

Individuals impacted by the recent data breaches at Blackbaud, Assured Imaging, and BJC Healthcare have taken legal action over the exposure and theft of their personal and protected health information.

Multiple Lawsuits Filed Over Blackbaud Ransomware Attack

The data breach at Blackbaud is one of the largest ever breaches of healthcare data to be reported. It is currently unclear exactly how many healthcare entities have been affected, as each affected entity is reporting the breach separately. As the deadline for reporting approaches, the extent of the breach is becoming clearer. Currently, at least 5 million individuals are known to have been affected and around 60 healthcare organizations have confirmed they have been impacted by the breach.

As is now common in ransomware attacks, data were exfiltrated by the hackers prior to the use of ransomware. Blackbaud paid the ransom demand to obtain the keys to decrypt data and to ensure that all stolen data were permanently deleted. Blackbaud has received assurances that the stolen data have been deleted, but as a result of the breach, individuals whose information was stolen in the attack have still had to take steps to protect their identities and many have incurred out-of-pocket expenses as a result of the breach.

At least 10 lawsuits have now been filed against Blackbaud and seek class action status. The lawsuits allege negligence, breach of contract, invasion of privacy, and violations of several state laws.

Blackbaud may have received assurances that stolen data have been deleted, but there is concern that a copy could have been made and is still in the hands of the hackers. According to one lawsuit filed in California federal court, “ [Blackbaud] cannot reasonably maintain that the data thieves destroyed the subset copy simply because the defendant paid the ransom and the data thieves confirmed the copy was destroyed.” Blackbaud maintains the allegations in the lawsuits are without merit.

Lawsuit Filed Over Assured Imaging Ransomware Attack

Assured Imaging similarly suffered a ransomware attack in which patient data were stolen prior to the use of ransomware. The hackers first gained access to Assured Imaging’s systems on May 15, 2020 and deployed their ransomware on May 19, 2020. Notification letters sent to the 244,813 patients affected by the attack on August 26, 2020. While it has been confirmed that the attackers stole data, Assured Imaging was unable to determine what information was obtained.

The threat actors behind the attack later published a portion of data stolen in the attack in an attempt to pressure Assured Imaging into paying the ransom. The ransomware used in the attack was Pysa, aka Mespinoza.

A lawsuit has been filed in the US District Court of Arizona on behalf of plaintiffs Angela T. Travis, Kerri G. Peters, and Geraldine Pineda and others affected by the breach. The plaintiffs are represented by attorney Hart. L. Robinovitch of Zimmerman Reed.

The lawsuit alleges Assured Imaging maintained patient data “in a reckless manner” on a computer network that was vulnerable to cyberattacks and that there was a known risk of improper disclosure of PHI due to the lack of appropriate cybersecurity protections.

The lawsuit also alleges the failure to secure the network left patient data “in a dangerous condition” and that there was improper monitoring of its network, resulting in a delay in identifying the intrusion.

The lawsuit also alleges Assured Imaging was in breach of FTC guidelines and had failed to comply with the minimum industry standards for data security, such as applying security updates promptly, training the workforce, implementing appropriate policies and procedures with regard to data security, and the failure to encrypt data.

The lawsuit alleges patients face an increased risk of fraud and identity theft for many years to come as a result of the theft of their data and the actual or potential release of their information on the black market. Affected patients have also “suffered ascertainable losses in the form of disruption of medical services, out-of-pocket expenses and the value of their time reasonably incurred to remedy or mitigate the effects of the attack.

BJC Healthcare Facing Class Action Lawsuit over Phishing Attack

A lawsuit has been filed in the St. Louis Circuit Court over a March 2020 phishing attack on BJC Healthcare in which the personal and protected health information of 287,876 individuals was potentially compromised. The breach affected 19 hospitals associated with BJC Healthcare.

Three employees responded to phishing emails and disclosed their credentials and their email accounts were accessed by the attackers. BJC Healthcare claims the breach was detected the same day but could not determine whether any data in the email accounts were accessed or stolen by the attackers.

A lawsuit was filed by attorney Jack Garvey on behalf of BJC patient Brian Lee Bauer claiming BJC’s approach to patient privacy was negligent. The lawsuit alleges the health system failed to implement and follow basic security procedures which made the protected health information of its patients accessible to thieves. The lawsuit alleges BJC failed to encrypt – or did not sufficiently encrypt – patient data and that it failed to meet its data security obligations under HIPAA and the HITECH Act.

The lawsuit claims breach victims face an increased risk of identity theft and fraud and are “immediately and imminently in danger of sustaining some or further direct injury/injuries.” As a result of the breach, patients have incurred significant out-of-pocket costs related to the prevention, detection, recovery, and remediation from identity theft and fraud and that the breach “is taking a significant emotional and physical toll” on the individuals affected.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.