The University of Connecticut and its affiliated teaching hospital are facing a class-action lawsuit, following its report that a phishing attack potentially breached the data of about 326,000 patients.
A hacker accessed a number of employee email accounts, which potentially compromised patient names, dates of birth, addresses, and limited medical information. For 1,500 patients, Social Security numbers were compromised.
UConn Health concluded its investigation on December 24 and began notifying patients at the end of February. At the time, officials said, “because we cannot isolate exactly what, if any, information may have been accessed, we notified individuals whose information was in the impacted accounts.”
In response, Yoselin Martinez, on behalf of herself and the other patients impacted by the breach, filed suit against UConn Health on March 18. Martinez is pursuing legal action after a fraudulent charge was made from her bank account and caused an overdraft, after she received UConn’s breach notification.
The lawsuit argued that UConn Health failed to properly secure and safeguard personally identifiable information and protected health information. Further, officials failed to provide a timely, accurate, and adequate notice that a data breach had occurred.
The crux of the argument is that patients have not been told when the breach occurred, the lawsuit argued. But UConn Health officials told the public that the breach first occurred in August 2018: four months before the investigation concluded and another six months before patients were notified.
The patients noted that phishing attacks on healthcare organizations are well-known and common. However, they argued that UConn Health’s breach only occurred due to their failure to “implement adequate and reasonable cybersecurity procedures and protocols.”
“Among other things, [UConn Health] failed to exercise reasonable care, and to implement adequate cybersecurity training, including, but not limited to, how to spot phishing emails from unauthorized senders,” according to the lawsuit.
“The deficiencies in [UConn Health]’s data security protocols were so significant that the breach likely remained undetected for months,” it continued. “Intruders, therefore, had months to access, view and steal patient data unabated.”
Further, the health system failed to discover its systems were breached and that “intruders were stealing data on hundreds of thousands of current and former patients. Timely action by UCONN would likely have significantly reduced the consequences of the breach.”
The lawsuit argued that the health system “intentionally, willfully, recklessly, or negligently” failed to take adequate steps to ensure its systems were protected, and officials failed to tell patients it didn’t have “adequate computer systems and security practices to safeguard their PII.”
Further, the health system failed to take available precautions to prevent the breach, including monitoring and timely detection of unauthorized access, according to the suit.
The patients are seeking remedies for “harms suffered” as a result of the security incident and assurance that their data, still held by UConn, “is protected from further breaches.”
“No one can know what else the cybercriminals will do with the compromised PII/PHI,” according to the lawsuit. “However, what is known is that UCONN Health patients will be for the rest of their lives at a heightened risk of further identity theft and fraud.”
“Defendants’ conduct gives rise to claims for breach of contract and negligence,” it continued. “Plaintiff, individually, and on behalf of those similarly situated, seeks to recover damages, equitable relief, injunctive relief designed to prevent a reoccurrence of the Data Breach and resulting injuries, restitution, disgorgement, reasonable costs and attorney fees, and all other remedies this Court deems proper.”
Lawsuits based on healthcare data breaches have become more common in recent years, as attacks continue to pummel the sector. Most recently, UCLA Health reached a $7.5 million settlement with the 4.5 million patients impacted by its 2015 breach