[BreachExchange] Lawsuits Filed Against Health Quest, Tidelands After Data Breach Reports

Destry Winant destry at riskbasedsecurity.com
Thu Jan 30 10:09:38 EST 2020


https://healthitsecurity.com/news/lawsuits-filed-against-health-quest-tidelands-after-data-breach-reports

January 29, 2020 - Health Quest and Tidelands Health are both facing
lawsuits after the providers reported potential data breaches. Health
Quest recently added more patients to the tally of victims impacted by
a 2018 phishing attack, while Tidelands fell victim to a ransomware
attack in December.

In May 2019, Health Quest reported several employees fell victim to
phishing attacks nearly a year earlier in July 2018. The attack was
detected soon after the initial system breach and the accounts were
secured. The investigation concluded in April 2019, and official
determined patient data was contained in the impacted email accounts.

Patients who visited Health Quest between January 2018 and June 2018
were included in the initial breach tally. The notification did not
explain why officials delayed notifying patients until well-beyond the
HIPAA-mandated 60 days.

Dig Deeper

In January 2019, Health Quest began notifying another round of
patients that their data was also breached during the 2018 phishing
attack. In total, more than 28,000 patients were impacted.

The second round of notifications prompted a Poughkeepsie patient,
Leah Wallace, to file a class-action lawsuit in federal court against
Health Quest and Nuvance Health, for which Health Quest is now part,
according to local news outlet, Poughkeepsie Journal.

The lawsuit argues the provider failed to exercise reasonable care in
securing and safeguarding their patients’ sensitive personal data.”
The breach exposed names, dates of birth, Social Security numbers,
driver’s licenses, and financial data.

As a result of those failures, the suit argues that hackers were able
to steal patients’ private information. Thus, patients are put at
immediate, serious, and ongoing risks, as well as increased expenses
that stem from individuals’ efforts to protect and monitor their
credit after the breach.

Further, the lawsuit calls Health Quest’s delay in notifying patients
as “inexplicable,” and the provider had obligations created by HIPAA,
industry standards, common law and representations made to class
members, to keep class members' private information confidential and
to protect it from unauthorized access and disclosure.”

“Plaintiff and other class members have suffered actual injury and at
risk of further imminent and impending injury arising from the
substantially increased risk of future fraud, identity theft, and
misuse posed by the private information being stolen,” according to
the lawsuit.

The Department of Health and Human Services is currently investigating
the incident.

For South Carolina-based Tidelands Health, the recently filed lawsuit
stems from a December ransomware attack. The provider was forced into
EHR downtime procedures after a reported malware attack impacted some
of its computer network, which were shut down as a result.

Patient care continued throughout the attack, but some appointments
were rescheduled as some of the IT network remained offline or
operated under limited function during the recovery period.

Last week, patients impacted by the attack filed a class-action
lawsuit in federal court to hold the hospital accountable for the
attack and the treatment of its patients, according to local news
outlet ABC15 News.

The lawsuit argued that ransomware disrupted care operations, while
disclosing highly sensitive patient medical records of thousands of
patients that were lost during the attack. The potentially compromised
data included names, health insurance information, Social Security
numbers, and dates of birth.

As a result, impacted patients are at risk for fraud and identity theft.

Further, one patient named in the suit claims that she was turned away
for her scheduled nuclear stress test, which was essential for her
care as she suffered two strokes in the past year. The patient claims
she was left in the dark after the attack and only learned the system
was back online from someone who did not work at the hospital.

Another patient claimed that she was repeatedly given food items she
could not eat, as a result of the clinician being unable to access the
patient’s medical records.

The lawsuit also claims the provider failed to protect patient data
and argues that Tidelands is not adhering to HIPAA as it still has not
been reported to HHS. However, under HIPAA, providers are given 60
days to report. Patients are seeking monetary damages and free credit
monitoring for three years.

In the last few months, several other providers have been hit with
similar lawsuits stemming from potential data breaches or security
incidents. In the past, these cases have seen mixed results. Some
covered entities have seen cases dismissed, while others, such as the
most recent case, Premera Health, have reached settlements reaching
several millions of dollars.


More information about the BreachExchange mailing list