Southern Orthopedic Associates Data Breach Class Action

Medical companies have become primary targets of cybercriminals, because of the wealth of personally identifiable information (PII) and protected health information (PHI) they store. This class action brings suit against Southern Orthopedic Associates, PSC (SOA), which does business as Orthopaedic Institute of Western Kentucky, for an incident that the complaint calls a “massive and preventable ransomware attack” that exposed the information of more than 100,000 people.

The Nationwide Class for this action is all persons living in the US who are current or former patients of SOA who had their PII or PHI compromised by a third-party cybercriminal in the data breach that occurred between June 24 and July 8, 2021. A Kentucky Subclass has also been defined for those in the above class who live in Kentucky.

SOA discovered the data breach on or around July 7, 2021 because of suspicious activity relating to an employee email account. The complaint alleges that an investigation determined that an unauthorized person obtained access to several employee email accounts during the above time period.

The information exposed possibly included names, dates of birth, Social Security numbers, driver’s license and passport numbers, financial account numbers, payment card numbers and security codes, medical billing or claims information, diagnosis, Medicare or Medicaid or other health insurance information, among other things.

According to the complaint, the data breach happened because of SOA’s “negligence, gross negligence, and/or recklessness and data security failures[.]” It claims that the “PII/PHI was improperly handled, inadequately protected, readily able to be copied by thieves and not kept in accordance with basic security protocols.”

Data breaches at healthcare systems are increasingly common, the complaint alleges, now making up around 30% of all data breaches. It claims, “Cybercriminals view patient care facilities as being more likely to pay ransoms to regain access to their systems since extended downtime is intolerable. Consequently, health data systems require enhanced security and should be breach-proof.”

The complaint therefore says that SOA knew or should have known it was a likely target of a data breach and should therefore have been prepared and taken adequate precautions to safeguard the information it held in its systems.

The complaint claims that SOA did not comply with requirements of the Federal Trade Commission (FTC) for data security. It points in particular to the FTC publication, “Protecting Personal Information: A Guide for Business,” which contains guidelines for “data security principles and practices for business.” The complaint lists a number of these practices and alleges that the FTC has brought enforcement actions against some companies that have not adequately and reasonably protected private information.

Article Type: Lawsuit
Topic: Privacy
Tags: Exposing Private Information, Exposure to cyber crime, Your Privacy