In 2021, Sea Mar Community Health Centers (SMCHC) faced a data breach. Now, the healthcare provider faces a class-action lawsuit. As a nonprofit, SMCHC treats underserved communities in Washington state. After a cyberattack, covered entities like SMCHC deal with many costs and issues including angry patients and possible lawsuits.
RELATED: The costs of ransomware attacks
Such short-term and long-term problems demonstrate why healthcare organizations must safeguard protected health information (PHI). And why it is imperative to prove HIPAA compliance by using strong cybersecurity features like HIPAA compliant email. Especially as the healthcare industry witnesses an increase in lawsuits along with an increase in data breaches.
The 2021 SMCHC breach
SMCHC discovered a breach in June 2021 after a threat actor posted stolen files on the Marketo dark web leak site.
SEE ALSO: Data leak marketplaces aim to take over the extortion economy
The organization later determined that the threat actor accessed and copied PHI from its network between December 2020 and March 2021. While SMCHC took immediate steps to secure its network and start an investigation, the Marketo gang had a six-month head start.
SMCHC sent a breach notification letter to affected individuals in October. PHI accessed and exfiltrated included:
| Names |
Addresses |
| Social Security numbers |
Birthdates |
| Health and treatment information |
Client numbers |
| Insurance information |
|
The healthcare provider also contacted the U.S. Office for Civil Rights, listing the breach as a hacking/IT incident affecting 688,000 individuals. In its October notification, SMCHC stated that “additional data may have been copied.” At the same time, SMCHC added that it was unaware of the data being misused.
The SMCHC lawsuit
On February 16, affected individuals filed a class-action lawsuit in Washington state. This is not the first lawsuit filed against SMCHC regarding this incident.
The plaintiffs accuse SMCHC of negligence and failure to adequately safeguard patient and employee information. In other words, SMCHC did not have proper cybersecurity in place to protect PHI. The lawsuit suggests that SMCHC acted in a “reckless manner” by storing PHI on its network “in a condition vulnerable to cyberattacks.”
Furthermore, the lawsuit alleges that the organization delayed breach notification. Under the HIPAA Breach Notification Rule, breaches with more than 500 affected individuals require notification within 60 days of discovery (or directly after an investigation).
SMCHC sent notification in October 2021, 10 months after the cyberattack and four months after discovery. Reports state that the investigation concluded in August 2021.
The plaintiffs maintain that they suffered injury and ascertainable losses due to the breach. They want compensatory damages, nominal damages, reimbursement of out-of-pocket expenses, and injunctive relief.
Lawsuits against healthcare organizations
Such lawsuits against healthcare organizations occur more and more frequently, likely due to the rise in cyberattacks and stolen PHI. Healthcare providers are not insulated from paying millions of dollars in damages after already costly cyberattacks.
SEE ALSO: Even nonprofit healthcare providers risk HIPAA fines – Metro pays $25K for data breach
Recent lawsuits include:
A judge dismissed a lawsuit against Brandywine Urology in February 2021. And in June 2021, the Supreme Court ruled that data breach victims must demonstrate actual injury and losses. Given this, we see healthcare organizations, such as UF Health Central Florida, successfully stop lawsuits while others, like Anthem, settle.
RELATED: Patients file lawsuits in wake of healthcare data breaches
What these cases demonstrate is that a lawsuit could happen to anyone after a HIPAA violation and/or PHI exposure.
Cybersecurity, cybersecurity, cybersecurity
Data breach lawsuits all claim that breaches occur because of inadequate cybersecurity measures. So why do healthcare organizations expose themselves to lawsuits when they could be proactive?
As cyberattacks become more common, healthcare organizations must do better with their cybersecurity. For one thing, covered entities must review and update their current privacy and security policies and procedures.
Along with this, they should provide regular and up-to-date employee awareness training. Necessary technical safeguards to block breaches include:
RELATED: The zero trust approach to managing cyber risk
Finally, it is important to ensure that business associates also employ strong cybersecurity measures. Healthcare organizations must always sign a business associate agreement and understand what their third-party vendors do to protect PHI.
A data breach is foreseeable, but PHI can remain secure with a proper cybersecurity program. Healthcare organizations can avoid disrupted service, HIPAA violations, and possible lawsuits with a practical approach to cybersecurity.
Try Paubox Email Suite Plus for FREE today.
Kapua Iao
