[BreachExchange] Patient sues UConn Health in federal court over February data breach

Destry Winant destry at riskbasedsecurity.com
Thu Mar 28 00:26:57 EDT 2019


A New London woman has sued UConn Health over a data breach in
February she says resulted in fraudulent activity affecting her bank

In the federal lawsuit filed last week, Yoselin Martinez, a patient at
the Farmington health center, said hackers “had months to access, view
and steal patient data unabated.” In addition, she said UConn failed
to recognize its systems had been breached and data on hundreds of
thousands of current and former patients were being stolen.

UConn Health said in February an unauthorized third party illegally
accessed a “limited number of employee email accounts” that contained
the Social Security numbers of about 1,500 people and other personal
information of the remaining 324,500 potentially impacted people.

In her lawsuit, Martinez accused UConn Health of failing to properly
secure and safeguard their personally identifiable information and
protected health information and failing to “provide timely, accurate
and adequate notice” that personal information was compromised.

The hacker gained access to employee email accounts through a phishing
attack that exposed personal data, the lawsuit said. The exposed
personal information included patients’ names, dates of birth,
addresses, medical information and Social Security numbers, according
to the lawsuit.

Martinez is seeking to make the legal challenge a class-action lawsuit.

Two UConn representatives did not immediately respond to an email
seeking comment.

UConn Health said Feb. 22 it immediately took action when it
discovered the breach, including securing affected accounts to prevent
further unauthorized access and that it confirmed the security of its
email system.

“UConn Health also notified law enforcement and retained a leading
forensic security firm to investigate and conduct a comprehensive
search for any personal information in the impacted email accounts,”
it said.

However, the data breach occurred “only because UConn failed to
implement adequate and reasonable cyber-security procedures and
protocols,” Martinez said.

In addition to the fraudulent activity, Martinez said she’ll be at
“heightened risk for financial fraud and identity theft” and damages
for several years.

More information about the BreachExchange mailing list