Facing a public shaming – and the threat of federal action – after a patient data breach is painful enough. But for one Baltimore-based health system, the aftermath also includes a class-action suit filed on behalf of the patients whose data was exposed. The security problem stems from questionable security practices at a medical group.
The story begins in September 2016, when LifeBridge Health’s servers were attacked. Somehow, the cybercriminals managed to penetrate the defenses of one of the system’s medical practices and install malware on the server that hosted its patient records, patient registration and billing systems.
As is too often the case with such incidents, LifeBridge leaders didn’t learn about the breach until March of this year. In other words, unbeknownst to all, it left the data door wide open for eighteen months or so. During that period, the data thieves stole personal information on more than 530,000 consumers, including client treatment information, medical diagnoses, Social Security numbers, birth dates, names, addresses and health insurance details.
The class action, which was filed in late December, argues that the breach was possible because LifeBridge didn’t protect its servers adequately and that they “knew or should have known” that a massive data breach was likely given its allegedly lax security practices.
As we know, this breach could be due to poor compliance with HIPAA security regs, for which the Office for Civil Rights could pursue sanctions. According to the suit, the health system’s inadequate data protections may also run afoul of a several Maryland state privacy protection laws.
The LifeBridge suit seems to be part of a trend in which data breach suits against healthcare organizations are becoming more common.
For example, earlier this month a group of state Attorneys General filed a suit against several health IT companies asserting that lax security practices led to the theft of PHI on 3.9 million individuals during a 2015 data security episode.
December also saw the settlement of a data breach lawsuit against Dothan, Ala.-based Flowers Hospital over a 2014 data breach caused by employee data theft. The employee had stolen information from the hospital’s lab.
And in the summer of 2018, Kansas City, Mo.-based Children’s Mercy Hospital was targeted by a class action lawsuit over a 2017 breach affecting more than 60,000 individuals.