Breach Notification , Governance & Risk Management , Privacy
Class Action Attorneys Circling Major Healthcare Breaches
Despite Scant Details on Hacks, Law Firms Poised to Pounce on Norton, Fairfax OralPublic details have been scant so far from two medical care providers about recent major hacks that compromised the personal information of an unconfirmed number of patients. But that hasn't stopped the push by class action attorneys, who are already filing lawsuits.
See Also: Alleviating Compliance Pain Points in the Cloud Era
The two separate hacking incidents were reported to federal regulators in recent weeks by Louisville, Kentucky-based Norton Healthcare, which operates five hospitals in Kentucky and one in Indiana, and by Fairfax Oral and Maxillofacial Surgery, a dental care practice with a half-dozen offices located in Virginia.
In each of the cases, the entities reported their incidents to the Department of Health and Human Services' Office for Civil Rights as HIPAA breaches affecting more than 500 individuals. So far, both organization have been tight-lipped about the details of the hacks.
But class action attorneys aren't waiting. Just two weeks after Norton Healthcare reported its breach to HHS OCR on July 7 - as a hacking incident involving a network server and affecting 501 individuals - attorneys filed a proposed class action lawsuit complaint in a federal court by plaintiff Lanisha Malone, on behalf of herself and others similarly situated. They allege the impact was far wider and greater.
Malone, a former Norton employee and a longtime patient, alleges the 501 affected individuals figure reported to HHS OCR was merely a "placeholder" by the entity and that the incident actually affected "thousands, if not hundreds of thousands."
The lawsuit also alleges that Norton has thus far not notified affected individuals with details about what personal and protected health information was compromised. The complaint cites several media reports alleging that stolen data has been leaked on the website of ransomware group BlackCat, which claimed responsibility for the attack.
According to media reports, the lawsuit alleges, BlackCat has leaked on the dark web "employees' names, Social Security numbers and birth dates as well as patients' personal information, credit card numbers and medical history," all of which appear not to have been redacted.
The data breach increases the risk of the affected individuals falling victim to identity theft, financial fraud and other crimes, the lawsuit alleges.
As of Wednesday, Norton Healthcare did not have a breach notice statement posted on its public website about the incident, and the hack did not yet appear on the breach reporting websites of various state regulators.
Norton Healthcare did not immediately respond to Information Security Media Group's request for details about the breach.
But Renee Murphy, senior vice president and chief marketing and communications officer at Norton Healthcare, told ISMG in a statement: "We intend to vigorously defend ourselves in any litigation associated with the cyber event we experienced earlier this year. However, it is our practice not to comment on any pending litigation."
Malone's lawsuit seeks financial damages, restitution and injunctive relief, including an order for Norton Healthcare to improve its data security practices.
Attorneys representing plaintiff Malone in the lawsuit against Norton Healthcare did not immediately respond to ISMG's request for comment.
Big Breaches, Few Details
The Norton Healthcare breach is not the only hacking incident already attracting the attention of class action lawyers, despite an apparent embargo on the release of details to the public.
Class action law firms are also circling Fairfax Oral and Maxillofacial Surgery with investigations for potential legal action against the dental practice. FOMS reported its hacking/IT incident to HHS OCR on July 14 as affecting more than 208,000 individuals and involving a network server.
So far, FOMS has also been tight-lipped about what happened in its hack. As of Wednesday, the practice had not posted a public breach notice on its website, and like Norton Healthcare, no breach reports had yet been posted on the websites of state regulators.
FOMS did not respond to multiple inquires by ISMG seeking details about the incident.
But as of Wednesday, at least two large class action lawsuit firms had already issued public statements on their websites soliciting details about the FOMS data breach from individuals affected by the incident.
"We believe that when companies collect and store personal data, they have a duty to protect it and to take measures to prevent data theft," said a statement posted on the website of legal practice The Lyon Firm. "Creating a strong network security system may be expensive, but when companies fail to protect patients' sensitive information and a data breach occurs, they may be held liable for damages."
The Lyon Firm encourages potential plaintiffs to "act quickly and remain vigilant against identity theft and fraud" and contact the firm to review their case.
A similar statement seeking details about the FOMS incident is posted on the website of law firm Console and Associates.
"Our data breach lawyers are eager to speak to victims of the Fairfax Oral and Maxillofacial Surgery data breach to determine what damages they sustained and what compensation may be available to them."
A spokeswoman for Console and Associates told ISMG that the only information the law firm has been able to obtain about the FOMS incident has been from the HHS breach reporting website. "So far, we've been unable to obtain any additional information or anything that would indicate if they have already begun notifying the affected," she said.
The Lyon Firm did not immediately respond to ISMG's request for comment.
Balancing Act
One legal expert not involved with the Norton Healthcare or FOMS incidents said the two incidents highlight some of the complexities of breach response and reporting, including decisions about when to make details available to those affected and the public at large.
"The first step is to always report to the secretary of HHS because the government or law enforcement may say, 'Don't notify the clients or the media yet,'" said regulatory attorney Rachel Rose. "If HHS, who does coordinate with federal law enforcement such as the FBI, confirms that notifications should be sent, then the next step is to alert the media and the individuals affected."
HIPAA-covered entities and business associates face breach reporting requirements by HHS - including notification of affected individuals within 60 days - and to HHS within that same time frame when discovering a breach affecting 500 or more individuals.
But organizations also face a growing list of additional reporting duties from other regulators, including state attorneys general and federal agencies.
"In light of the Securities and Exchange Commission's Final Rules, which were released late July, as well as what is required by HHS and the Federal Trade Commission, there is certain content which must be disclosed," Rose said.
The SEC in July voted to require publicly traded companies to disclose most "material cybersecurity incidents" within four business days of determining materiality. The rule goes into effect in December (see: SEC Votes to Require Material Incident Disclosure in 4 Days).
Yet at the same time, Rose said, it is important for entities to not disclose too many details. "It could make the organization more exposed to another attack. It is a balance."
And Rose doesn't recommend that organizations intentionally underestimate the number of affected individuals in HIPAA breach reports to HHS.
"Knowingly misrepresenting the number of persons affected is material," she said. "There is a duty to inform HHS as soon as information to the contrary is received, which would then trigger the HIPAA Breach Notification Rule requirements of 501-plus persons."