Share this article on:
Wilmington Surgical Associates in North Carolina is facing a class action lawsuit over a Netwalker ransomware attack and data breach that occurred in October 2020.
As is now common in ransomware attacks, files were exfiltrated prior to the deployment of ransomware. In this case, the Netwalker ransomware gang stole 13GB of data from two Wilmington Surgical Associates’ servers that were used for administration purposes. Some of the stolen was published on the threat actors’ data leak site where it could be accessed by anyone.
The leaked data was spread across thousands of files and included financial information related to the practice, employee information, and patient data such as photographs, scanned documents, lab test results, Social Security numbers, health insurance information, and other sensitive patient information.
Wilmington Surgical Associates sent notifications to affected individuals in December 2020 and reported the data breach to the HHS’ Office for Civil Rights on December 17, 2020 as affecting 114,834 patients.
The lawsuit – Jewett et al. v. Wilmington Surgical Associates – was filed by Rhine Law Firm; Morgan & Morgan; and Mason Lietz & Klinger on February 10, 2021 and was recently removed to the US District Court for the Eastern District of North Carolina.
Plaintiffs Katherine Teal, Sherry Bordeaux, and Philip Jewett allege in the lawsuit that their sensitive personal and health information is now in the hands of cybercriminals, which places them at an elevated risk of identity theft and fraud and other damages such as the lowering of credit scores and higher interest rates. The plaintiffs also allege they have suffered ascertainable losses as a result of the security incident in terms of out-of-pocket expenses and time spent remediating the effects of the data breach.
The lawsuit alleges Wilmington Surgical Associates was negligent for failing to adequately safeguard patient data when it had been put on notice about the elevated risk of ransomware attacks. In addition, it is alleged that the North Carolina healthcare provider failed to adequately monitor its systems for network intrusions and failed to provide timely breach notifications to patients and adequate information on the types of information compromised in the attack.
The plaintiffs seek reimbursement of out-of-pocket expenses, compensation for time spent dealing with the aftereffects of the breach, restitution, injunctive relief, and adequate credit monitoring services for breach victims. The lawsuit also requires the courts to order Wilmington Surgical Associates to improve data security and undergo annual security audits.