Paubox blog: HIPAA compliant email made easy

Sea Mar Community Health Centers faces a lawsuit

Written by Kapua Iao | March 05, 2022

In 2021, Sea Mar Community Health Centers (SMCHC) faced a data breach. Now, the healthcare provider faces a class-action lawsuit. As a nonprofit, SMCHC treats underserved communities in Washington state. After a cyberattack, covered entities like SMCHC deal with many costs and issues including angry patients and possible lawsuits.

RELATED: The costs of ransomware attacks

Such short-term and long-term problems demonstrate why healthcare organizations must safeguard protected health information (PHI). And why it is imperative to prove HIPAA compliance by using strong cybersecurity features like HIPAA compliant email. Especially as the healthcare industry witnesses an increase in lawsuits along with an increase in data breaches.

 

The 2021 SMCHC breach

 

SMCHC discovered a breach in June 2021 after a threat actor posted stolen files on the Marketo dark web leak site.

SEE ALSO: Data leak marketplaces aim to take over the extortion economy

The organization later determined that the threat actor accessed and copied PHI from its network between December 2020 and March 2021. While SMCHC took immediate steps to secure its network and start an investigation, the Marketo gang had a six-month head start.

SMCHC sent a breach notification letter to affected individuals in October. PHI accessed and exfiltrated included:

 

Names Addresses
Social Security numbers Birthdates
Health and treatment information Client numbers
Insurance information  

 

The healthcare provider also contacted the U.S. Office for Civil Rights, listing the breach as a hacking/IT incident affecting 688,000 individuals. In its October notification, SMCHC stated that “additional data may have been copied.” At the same time, SMCHC added that it was unaware of the data being misused.

 

The SMCHC lawsuit

 

On February 16, affected individuals filed a class-action lawsuit in Washington state. This is not the first lawsuit filed against SMCHC regarding this incident.

The plaintiffs accuse SMCHC of negligence and failure to adequately safeguard patient and employee information. In other words, SMCHC did not have proper cybersecurity in place to protect PHI. The lawsuit suggests that SMCHC acted in a “reckless manner” by storing PHI on its network “in a condition vulnerable to cyberattacks.”

Furthermore, the lawsuit alleges that the organization delayed breach notification. Under the HIPAA Breach Notification Rule, breaches with more than 500 affected individuals require notification within 60 days of discovery (or directly after an investigation).

SMCHC sent notification in October 2021, 10 months after the cyberattack and four months after discovery. Reports state that the investigation concluded in August 2021.

The plaintiffs maintain that they suffered injury and ascertainable losses due to the breach. They want compensatory damages, nominal damages, reimbursement of out-of-pocket expenses, and injunctive relief.

 

Lawsuits against healthcare organizations

 

Such lawsuits against healthcare organizations occur more and more frequently, likely due to the rise in cyberattacks and stolen PHI. Healthcare providers are not insulated from paying millions of dollars in damages after already costly cyberattacks.

SEE ALSO: Even nonprofit healthcare providers risk HIPAA fines – Metro pays $25K for data breach

Recent lawsuits include:

 

Name Date served Date of breach Type of breach
Springhill Medical Center January 2020 July 2019 Ransomware (possibly led to infant death)
Blackbaud (business associate) Several times in 2020 February to May 2020 Ransomware
US Fertility January 2021 September 2020 Ransomware
Bansley and Kiener (business associate) December 2021 December 2020 Ransomware
Broward Health January 2022 October 2021 Hacking/IT incident

 

A judge dismissed a lawsuit against Brandywine Urology in February 2021. And in June 2021, the Supreme Court ruled that data breach victims must demonstrate actual injury and losses. Given this, we see healthcare organizations, such as UF Health Central Florida, successfully stop lawsuits while others, like Anthem, settle.

RELATED: Patients file lawsuits in wake of healthcare data breaches

What these cases demonstrate is that a lawsuit could happen to anyone after a HIPAA violation and/or PHI exposure.

 

Cybersecurity, cybersecurity, cybersecurity

 

Data breach lawsuits all claim that breaches occur because of inadequate cybersecurity measures. So why do healthcare organizations expose themselves to lawsuits when they could be proactive?

As cyberattacks become more common, healthcare organizations must do better with their cybersecurity. For one thing, covered entities must review and update their current privacy and security policies and procedures.

Along with this, they should provide regular and up-to-date employee awareness training. Necessary technical safeguards to block breaches include:

 

 

RELATED: The zero trust approach to managing cyber risk

Finally, it is important to ensure that business associates also employ strong cybersecurity measures. Healthcare organizations must always sign a business associate agreement and understand what their third-party vendors do to protect PHI.

A data breach is foreseeable, but PHI can remain secure with a proper cybersecurity program. Healthcare organizations can avoid disrupted service, HIPAA violations, and possible lawsuits with a practical approach to cybersecurity.

 

Try Paubox Email Suite Plus for FREE today.