Morley Companies Ransomware Attack and Data Breach Class Action

Morley Companies, Inc. offers business services to healthcare providers. Companies that keep healthcare information as well as other private information have become favorite targets of cybercriminals, and the complaint for this class action alleges that Morley did not put in place sufficient security measures to prevent a data breach that occurred as part of a ransomware attack that started in August 2021.

The Nationwide Class for this action is all persons whose PII was maintained by Morley and compromised as a result of the data breach publicly announced in or around August of 2021. A Michigan Subclass has also been defined, for those in the above class who are residents of Michigan.

Morley noticed the data breach when it found that a ransomware attack on its systems had stopped access to certain files and folders in its systems. The files and folders contained personally identifiable information (PII) and private health information (PHI) and had been accessed by cybercriminals.

Morley claimed that its investigation ran until January 18, 2022, but the complaint alleges that its cybersecurity consultants did not finish their investigation until February 1, 2022. The complaint claims that the plaintiffs in this case received their notices of the data breach in late January or early February 2022.

The complaint alleges, “The Breach was caused and enabled by [Morley’s] violation of its obligations under the law and failure to abide by industry standards and its own policies in implementing adequate security measures.” It claims that if Morley had put adequate security measure into place, “the Breach could have been prevented or mitigated.” It also claims that Morley was “aware that healthcare information has been increasingly targeted by cybercriminals.”

The plaintiffs in this case have already experienced problems because of the data breach, the complaint alleges. For example, the complaint claims that plaintiff Carole Dangelo found out through the identity-monitoring service on her Discover card that her and her husband’s PII was for sale on the dark web.

Also, it says, plaintiff Sophia Marks has had a rash of spam calls asking her to provide medical information. The complaint alleges that the calls are from “people who claim to be health insurance providers, doctors, or other healthcare professionals related to services she did not request or receive in the past. These spam calls are likely attempts by cybercriminals to obtain additional PII from Ms. Marks, which can then be used in combination with the information stolen from the ransomware attack on [Morley’s] systems to perpetrate fraud.

The complaint alleges that Morley promised that all the patient PII it collected, and the information submitted by patients and employees, would be adequately protected from disclosure to others, but it claims that Morley failed in this task.

In addition, the complaint alleges that Morley “also failed to implement adequate monitoring and auditing systems as the systems were locked by ransomware, accessible by unauthorized parties for months—despite the fact that [Morley] apparently knew about the ransomware as early as August of 2021.

Article Type: Lawsuit
Topic: Privacy
Tags: Exposing Private Information, Exposure to cyber crime, Your Privacy