[BreachExchange] Breach Victims File Class Action Lawsuit Against Einstein Healthcare

Tue Apr 27 10:36:15 EDT 2021

https://healthitsecurity.com/news/breach-victims-file-class-action-lawsuit-against-einstein-healthcare

April 27, 2021 - Einstein Healthcare Network is facing a class-action
lawsuit, following the August 2020 hack of several employee email accounts.
The breach victims claim the Pennsylvania-based health system failed to
properly secure and safeguard the protected health information of patients.

Einstein notified the public of the compromise in January 2020, nearly six
months after the security incident. According to the Department of Health
and Human Services breach reporting tool, the email hack compromised the
data of 353,616 patients.

An attacker gained access to the accounts for 12 days between August 5 and
August 17, 2020. The accounts contained a wide range of patient data,
including names, dates of birth, medical record or patient information, and
or treatment and clinical data, such as diagnoses, medical information,
locations of service, and provider names.

Some patients also saw their Social Security numbers, health insurance
information, and or driver’s licenses compromised during the incident.
While media reports on the incident did not begin until January, the
lawsuit confirmed that Einstein honored the 60-day timeline required by
HIPAA and sent letters to patients beginning in October.

The investigation continued during that time, with more patients being
notified that their data was included in the breached information between
January 21, 2021 and February 8, 2021.

Filed by former patient Nanette Katz, the lawsuit argues that Einstein
failed to provide timely, accurate, and adequate notice to patients that
their data had been compromised, in addition to failing to comply with
industry standards to protect its systems that contained PHI.

Katz was among the patients who received the January breach notice from
Einstein, nearly six months after the initial incident.

The lawsuit argues that the notification was “untimely and woefully
deficient, failing to provide basic details concerning the data breach,
including, but not limited to, why sensitive patient information was stored
within employee emails which were clearly stored on systems without
adequate security, the deficiencies in the security systems that permitted
unauthorized access, whether the stolen data was encrypted or otherwise
protected, and whether Einstein knows if the data has not been further
disseminated.”

Further, the patients claim their PHI is in the hands of the cybercriminals
and that the victims will “forever face a substantial, increased risk of
identity theft.” Thus, the affected patients will continue to spend
significant time and money to protect themselves from further injury.

The lawsuit also takes issue with Einstein only providing identity
protection services to patients whose SSNs were compromised. Notably, the
lawsuit contains several spelling errors.

“To date, Einstein has not yet disclosed full details of the data breach,”
according to the lawsuit. “Without such disclosure, questions remain as to
the full extent of the data breach, the number of patients involved, the
actual data accessed and compromised, and what measures, if any, Einstein
has taken to secure the PHI still in its possession.”

“Through this litigation, [the patient] seeks to determine the scope of the
data breach and the information involved, obtain relief that redresses
[Einstein’s] harms, and ensure Einstein has proper measures in place to
prevent another breach from occurring in the future.

The victims are asking the court to order Einstein to “fully and accurately
disclose the nature of the information that has been compromised and to
adopt reasonably sufficient security practices and safeguards to prevent
incidents like the disclosure in the future.”

Healthcare breach lawsuits are par for the course under the current threat
landscape, with varying results. The majority are settled out of court,
such as the most recent settlement with Saint Francis Healthcare, which
owns Ferguson Medical Group.

But other courts have stressed the need for breach victims to demonstrate
actual harm. For example, a judge dismissed a lawsuit against Brandywine
Urology Consultants in February, as the patients failed to provide evidence
of injuries or losses caused by the security incident.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210427/e9951521/attachment.html>