Businesses related to health care have become prime targets of data breaches and ransomware attacks because of the value of the information they maintain. The complaint for this class action alleges that Empress Ambulance Service, LLC, which does business as Empress EMS, failed to protect the personally identifiable information (PII) in its systems from a cyberattack and therefore bears responsibility for the exposure of the information.
The class for this action is all persons whose PII was compromised as a result of the data breach, including those who received notice letters from Empress EMS.
The complaint describes Empress as “an emergency medical services and aftercare transportation provider.” As such, Empress maintains valuable PII and insurance information on its customers.
Cybercriminals were able to gain access to Empress’s systems on May 26, 2022, the complaint alleges, although Empress did not notice this until July 14, 2022. Empress’s Notice of Data Breach claimed that they “copied a small subset of files on July 13, 2022” but the complaint suggests that the intrusion was much more extensive, alleging that “cybercriminals had undetected and unfettered access to [Empress’s] network for nearly two months. During that time, the unauthorized cybercriminals acquired hundreds of thousands of people’s most sensitive PII.”
Empress maintained information for well over 300,000 people and the complaint alleges that the attack exposed “names, dates of service, Social Security numbers, and insurance information.”
The complaint alleges that “files in certain systems had been encrypted as part of a ransomware attack.” According to databreaches.net, a ransomware hacking group called Hive conducted the attack. The complaint quotes communications with Hive as saying, in all caps, “! ! ! DO NOT TRY TO DECRYPT OR CHANGE ENCRYPTED FILES ON YOUR COMPUTERS. IT WILL COMPLETELY DESTROY THEM ! ! !” Hive also said it had “[d]ownloaded most important information with a total size over 280 GB” plus employee and customer information.
Empress’s failure to protect the information, the complaint says, “unlawful, willful and wanton…” The complaint claims, “Empress EMS was grossly negligent and disregarded the obvious and substantial risks of such an attack—an attack that was undetected for weeks and that was only detected after the cybercriminals chose to make their presence on [Empress’s] system known.
The complaint alleges that Empress has offered the individual victims a “woefully inadequate twelve months of identity theft repair and monitoring services. Twelve months of identity theft and repair and monitoring is, however, inadequate to protect [the individual victims] from a lifetime of identity theft risk.”
Article Type: LawsuitTopic: Privacy
Most Recent Case Event
Empress EMS Ransomware Attack and Data Breach Complaint
October 14, 2022
Businesses related to health care have become prime targets of data breaches and ransomware attacks because of the value of the information they maintain. The complaint for this class action alleges that Empress Ambulance Service, LLC, which does business as Empress EMS, failed to protect the personally identifiable information (PII) in its systems from a cyberattack and therefore bears responsibility for the exposure of the information.
Empress EMS Ransomware Attack and Data Breach ComplaintCase Event History
Empress EMS Ransomware Attack and Data Breach Complaint
October 14, 2022
Businesses related to health care have become prime targets of data breaches and ransomware attacks because of the value of the information they maintain. The complaint for this class action alleges that Empress Ambulance Service, LLC, which does business as Empress EMS, failed to protect the personally identifiable information (PII) in its systems from a cyberattack and therefore bears responsibility for the exposure of the information.
Empress EMS Ransomware Attack and Data Breach Complaint