The Louisiana-based private ambulance service is facing a lawsuit following a large data breach.
Acadian Ambulance, a private ambulance service provider serving Louisiana, Mississippi, Tennessee, and Texas, faced a data breach on June 21st.
A hacking group, known as the Daixin Team, encrypted up to 2,000 of its servers and threatened to publish sensitive data of up to 10 million individuals. The group demanded a $7 million ransom to have the data deleted, but Acadian initially only offered $173,000. Reports indicate Acadian increased the offer, but no agreement was ever reached.
According to the Daixin Team, the malicious organization had 11 million lines of data, including patient names, dates of birth, phone numbers, medical histories, employment information, symptoms, and suspected drug use.
Despite the breach, Acadian released a statement explaining that the ambulance service was able to "continue operations with no negative impact on patient care.”
Since then, Acadian has begun facing several class action lawsuits. The company initially faced eight unique suits, but Acadian requested the suits be consolidated, saying that they arose from the same incident and asserted similar claims. On August 14th, U.S. Magistrate Judge Carol B. Whitehurst granted the request.
The suits have been filed by both patients and former employees and assert the frustration and uncertainty the impacted individuals feel regarding the breach.
Several plaintiffs said they have spent time and money attempting to mitigate the harms from the breach, and others said that the company did not offer recovery or protective services.
In a statement, an Acadian spokesperson said the incident is part of a “growing trend of data security incidents that have affected numerous large companies, including prominent technology and healthcare firms.”
The company also challenged the reliability of some of Daixin Team’s claims, saying “Despite claims made by the perpetrators of this cyber attack, we believe the number of affected persons is much less than reported, and private employee data, such as full Social Security numbers, were not compromised.”
Lawsuits cite the continued difficulties victims of breaches may face. “The exposure of one’s private information to cybercriminals is a bell that cannot be un-rung,” said one lawsuit.
The case highlights the uncertainty impacted individuals may feel after a breach. Often, they are not given updates about their data or if a ransom was paid, as this can impede investigation processes.
While lawsuits continue to increase, they remind us that data breaches can impact an organization’s financial status and reputation. Healthcare companies must do everything they can to prevent a breach before it becomes a bigger issue.
Related: HIPAA Compliant Email: The Definitive Guide