Fraud Management & Cybercrime , Healthcare , Industry Specific
Judge Allows Lawsuit Against EHR Vendor in Hack to Proceed
Several Claims Dismissed, But Other Allegations in Breach Case Get a Green LightA federal judge has dismissed several claims but has given the green light for plaintiffs to move forward with other allegations in a proposed class action filed against electronic health records vendor NextGen in the aftermath of a 2023 ransomware attack that affected about 1 million people.
See Also: Best Practices to Protect Communication and Email Fraud with Technology
The Thursday ruling by U.S. District Judge Thomas Thrash of the U.S. District Court for the Northern District of Georgia grants NexGen's motion to dismiss more than a dozen state data privacy and consumer protection law claims alleged by plaintiffs in their consolidated amended class action lawsuit filed last December against the vendor.
But the judge denied NexGen's motion to dismiss several other claims, allowing the plaintiffs' case to proceed. That includes moving forward with the lawsuit's allegations that the company breached its fiduciary duty to safeguard the sensitive information of plaintiffs and class members.
NextGen in its motion to dismiss the case alleged that the EHR software company lacked a direct fiduciary relationship with the plaintiffs and class members and argued that the mere receipt and storage of confidential information does not create a fiduciary relationship.
But the judge in his ruling disagreed, saying the question of whether or not NextGen has a fiduciary relationship with plaintiffs and breached its duty is not clear cut.
"In some circumstances, the retention of private information that patients provided while seeking medical care can create a fiduciary duty under Georgia law," the judge said. "Whether or not the circumstances in the present case rise to that level is not a question that can be resolved in a motion to dismiss. Thus, the court will not dismiss [this] count at this time."
The proposed class action litigation - which consolidates more than a dozen lawsuits filed last year against NextGen - alleges, among other claims, that the EHR vendor breached its fiduciary relationship "by not acting reasonably in collecting, storing and maintaining the private information of plaintiffs and class members."
The lawsuit seeks financial damages - including compensatory, statutory damages and punitive - as well as extended credit and identity monitoring. It also seeks injunctive relief that requires NextGen to strengthen its data security practices.
Breach Details
The lawsuit alleges that between at least March 29 and April 14, 2023, a hacker infiltrated NextGen's network and accessed and exfiltrated "a massive amount" of highly sensitive private information stored on NextGen systems, including full names, birthdates, addresses and Social Security numbers of patients.
NextGen reported the breach on May 5, 2023, to Maine's attorney general as affecting more than 1 million individuals and said the incident involved "unauthorized access to database stemming from use of stolen client credentials that appear to have been stolen from other sources or incidents unrelated to NextGen" (see: Cloud-Based EHR Vendor Notifying 1 Million of Data Breach).
That breach report to regulators followed a separate incident that NextGen said it was investigating in January 2023, during a time when the ransomware-as-a-service gang BlackCat, also known as Alphv, briefly listed the company on its data leak site (see: 2 Vendors Among BlackCat's Alleged Recent Ransomware Victims).
The lawsuit claims that the two incidents appear related. "Given the difficulty of eliminating malware once it has infiltrated a company's network, the data breach [reported in May 2023] may be a continuation of the January 2023 data breach that NextGen failed to discover," the amended, consolidated lawsuit complaint alleges.
"In any event, even if the two data breaches are separate and distinct events, the repeated breach of NextGen's systems evinces its flawed data security and its continuous disregard of its obligations to protect Private Information from exposure, compromise, and/or exfiltration by cybercriminals," the lawsuit alleges. "The January 2023 breach put, or should have put, NextGen on notice that further cyberattacks were imminent."
NextGen last May told Information Security Media Group in a statement that the two hacks were separate incidents (see: NextGen Facing a Dozen Lawsuits So Far Following Breach).
Regulatory attorney David Holtzman of the consulting firm HITprivacy - who is not involved in the NextGen litigation - said the plaintiff's amended complaint raises a number of questions about the capabilities of the company to identify, assess and defend against cyberthreats to its EHR systems.
"Healthcare providers that employ the NextGen EHR suite of applications should be taking steps to assess their risk and taking action to ensure the protection of their data," he said.
NextGen did not immediately respond to ISMG's request on Tuesday for comment on the lawsuit's allegations and last week's federal court ruling.
Attorneys representing plaintiffs in the litigation also did not immediately respond to ISMG's requests for comment.