Last October Wilmington Surgical Associates was dealing with a ransomware attack.
Allegedly, the Netwalker ransomware group stole 13 gigabytes of data, which in today’s world easily fits on a flash drive, and leaked that data online.
The patients of the North Carolina clinic whose data was stolen and leaked are seeking “redress for its unlawful conduct, and asserting claims for: negligence; negligence per se; invasion of privacy; breach of implied contract and fiduciary duty; and violation of the [State’s] Unfair and Deceptive Trade Practices Act…”
Hackers often post “proof” that they have really stolen the data. In this case, the initial post leaked 3,702 files and 201 folders, which included both patient and employee data. Given the nature of the business, most of the data stolen was likely sensitive.
The clinic notified 114,00 people just before Christmas, likely within the legal notification timeline.
The lawsuit says that Wilmington Surgical inadequately protected the PHI and PII in their possession and maintained data in a reckless and negligent manner.
They also claim that the clinic failed to properly monitor its network, system and servers.
The lawsuit seeks compensatory damages, reimbursement of out-of-pocket expenses, restitution, and injunctive relief. The patients also want the court to require Wilmington Surgical to improve its data security systems, as well as adhere to annual auditing and adequate credit monitoring services to be paid by the provider.
While some of these suits are settled quietly, others come with multi-million dollar settlements. There have been a number of these lawsuits filed recently.
So here is my question for you. If you had a breach and the claim was similar to the one above in red, how would you or could you defend yourselves? Just asking.
Credit: Health IT Security