A lawsuit filed against Prospect Medical Holdings over a ransomware attack has managed to survive a motion to dismiss.
In early August 2023, Prospect Medical Holdings, a healthcare provider, detected unauthorized access to its network. A subsequent investigation revealed that an unknown third party had been within the system for approximately four days before the intrusion was discovered.
The Rhysida ransomware group claimed responsibility for the attack, boasting that they had stolen a database containing over one terabyte of customers' personally identifiable information (PII) and protected health information (PHI), including more than half a million Social Security numbers.
Rhysida threatened to sell or publish the data if the ransom demands were not met. Unfortunately, Prospect was unable to reach an agreement, leading to the release and potential sale of the stolen information.
After the data breach, multiple lawsuits were filed, including one representing a nationwide class of affected people. The plaintiffs claimed various harms, with six reporting attempted fraudulent transactions using their personal information.
Judge Wendy Beetlestone partially denied Prospect Medical Holdings' motion to dismiss, agreeing that the plaintiffs had shown harm.
The negligence claim will continue, but the claims for negligence per se and FTC Act violations were dismissed. The breach of implied contract claim was dismissed due to lack of evidence. Claims of common law privacy and violation of the California Constitution were dismissed with prejudice, while the California Unfair Competition Law claim was dismissed but may be amended. The Confidentiality of Medical Information Act (CMIA) claim was upheld, as it seemed likely that the patient files sold on the dark web included medical histories.
Related: HIPAA Compliant Email: The Definitive Guide.
"Class actions are becoming more common, and in fact the threat of this litigation is being used as additional leverage to coerce victim organizations into paying extortion demands by cybercriminals," said Mike Hamilton, founder and Chief Information Security Officer of firm Critical Insight.
The court's decision to allow the lawsuit to proceed is a victory for patients and a clear message to healthcare organizations about the significance of data security.
Moreover, the court's recognition of the plaintiffs' standing and the plausibility of their claims sends a strong signal that patients have a valid legal recourse when their personal and medical information is compromised. The case could encourage other individuals affected by data breaches to seek justice and hold healthcare organizations responsible for their negligence.
A data breach occurs when sensitive, protected, or confidential data is accessed, disclosed, or stolen by unauthorized individuals. It can include personal information such as names, social security numbers, credit card details, and medical records. Data breaches can occur from hacking, malware attacks, insider threats, or inadequate security measures.
Ransomware is malicious software designed to block access to a computer system or data, typically by encrypting it, until a ransom is paid. Attackers often demand payment in cryptocurrency to release the decryption key and restore access to the locked data or system.
Healthcare organizations can reduce the risk of data breaches by implementing strong cybersecurity measures, conducting regular security training for employees, and using encryption to protect sensitive data.