
Jacksonville Spine Center, PA, which does business as Jax Spine and Pain Centers, experienced a data breach on or around January 24, 2022. The complaint for this class action alleges that the data breach exposed the personally identifiable information (PII) and protected health information (PHI) of around 38,000 people, and that they are now “victims of Jax Spine’s negligent and/or careless acts and omissions…”
The class for this action is all Florida residents who are current or former patients of Jax Spine whose PII or PHI was accessed or exfiltrated in the data breach.
The complaint alleges, “By obtaining, collecting, using, and deriving a benefit from” its patients’ PII, “Jax Spine assumed legal and equitable duties to those individuals.” It alleges that “Jax Spine failed to use reasonable, up-to-date security practices and protocols to prevent the Data Breach that occurred.”
The data breach occurred on or around January 24, 2022, when an authorized party gained access to Jax Spine’s systems in a ransomware attack. The company announced the data breach on or around February 10, 2022, the complaint says, posting a notice on its website and sending notices out to patients and to the Office for Civil Rights of the Department of Health and Human Services (DHHS).
According to the complaint, Jax claimed the data breach involved only 38,000 individuals. The complaint quotes its notice as saying that the ransomware attack was on “an inactive server than maintained patient files created before May 2018.” The complaint also quotes it as saying, “The attackers only obtained demographic data such as names, addresses, dates of birth and [S]ocial [S]ecurity numbers for a limited number of individuals but no clinical data was accessed.”
However, the complaint says that on “the very same day, the cybercriminals taking credit for the Data Breach claimed to have stolen the full electronic health records (‘EHR’) of over 260,000 Jax Spine patients.”
Jax Spine’s notice did not mention whether or not it paid the ransom demanded, the complaint says.
The complaint quotes an article saying that hospitals have become a primary target for hackers, partly because they have so much valuable information, and partly because, “primarily due to budget and resources, hospital security systems are often less sophisticated and decentralized than those in other industries,” which may mean that they are easier to hack.
The complaint accuses Jax Spine of failing to apply the measures required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), failing to follow Federal Trade Commission (FTC) data security guidelines for businesses, and failing to meet industry standards set by DHHS.
Article Type: LawsuitTopic: Privacy
Most Recent Case Event
Jacksonville Spine Ransomware Attack and Data Breach Complaint
June 27, 2022
Jacksonville Spine Center, PA, which does business as Jax Spine and Pain Centers, experienced a data breach on or around January 24, 2022. The complaint for this class action alleges that the data breach exposed the personally identifiable information (PII) and protected health information (PHI) of around 38,000 people, and that they are now “victims of Jax Spine’s negligent and/or careless acts and omissions…”
Jacksonville Spine Ransomware Attack and Data Breach ComplaintCase Event History
Jacksonville Spine Ransomware Attack and Data Breach Complaint
June 27, 2022
Jacksonville Spine Center, PA, which does business as Jax Spine and Pain Centers, experienced a data breach on or around January 24, 2022. The complaint for this class action alleges that the data breach exposed the personally identifiable information (PII) and protected health information (PHI) of around 38,000 people, and that they are now “victims of Jax Spine’s negligent and/or careless acts and omissions…”
Jacksonville Spine Ransomware Attack and Data Breach Complaint