Dive Brief:
- Baltimore-based Johns Hopkins Health System was hit with a class action lawsuit last week alleging negligence after the hospital system uncovered a third-party data breach in May.
- The lawsuit, filed in Maryland District Court, alleges that the health system failed to implement safeguards to secure the personal health information and identifiable data of those affected by the breach, according to the suit.
- On May 31, Johns Hopkins discovered that it had been the victim of a vulnerability in a file transfer software instigated by a Russian-linked ransomware group. Although the number of total affected people is unknown, it is estimated to include “tens/hundreds of thousands” of people, according to the lawsuit.
Dive Insight:
The class action suit comes as hacking incidents at healthcare firms grow as more companies and health systems pivot to electronic health records. From 2010 to 2022, 385 million patient records were exposed due to data breaches, according to federal records.
Filed on July 7 by Pamela Hunter — a client of the hospital — the lawsuit alleges that the health system was aware of the “substandard” condition of its information systems, and broke its implied covenant of good faith by not maintaining adequate security protocols.
Johns Hopkins’ data breach occurred through a vulnerability in its MOVEit file transfer software. The MOVEit breach affected several government agencies, including the U.S. Department of Energy, and was attributed to Russian-linked ransomware group Cl0p. In February, the HHS warned that Cl0p was responsible for breaches at healthcare organizations, including an attack at Tennessee-based Community Health Systems.
Although Johns Hopkins was aware of the data breach in May, the class action suit alleges that Hunter did not receive notice — or was even aware that the system stored her personal health data — until after receiving a letter dated June 24. Although HIPAA requires that hospitals notify individuals of a data breach “without reasonable delay” and no later than 60 days following the discovery, the lawsuit claims that plaintiffs lost time dealing with potential consequences of the breach, and were given insufficient details regarding the stolen data.
“Plaintiff and the Class Members remain, even today, in the dark regarding what data was stolen, the particular malware used, and what steps are being taken to secure their PHI/PII and financial information going forward,” the lawsuit states.
Last year, the healthcare industry was the most common victim of third-party breaches as hospitals struggled to recover from the COVID-19 pandemic, according to a report from cyber intelligence firm Black Kite. The industry’s poor cybersecurity protocols, combined with its interconnected health information systems, makes healthcare the highest risk sector for third-party vendor breaches, according to the report.
Just this week, HCA Healthcare reported a data security incident that may have affected more than 11 million patients.