HIPAA and Compliance News

Patient Breach Victims File Lawsuits Against Assured Imaging, BJC Health

Pysa ransomware hackers posted patient data from Assured Imaging online, while BJC Healthcare fell victim to a massive phishing attack; the breach victims filed lawsuits in response.

healthcare data breach lawsuits patient privacy HIPAA compliance breach notifications ransomware attack phishing campaigns employee security training

By Jessica Davis

- The patients impacted by two separate data breaches of Assured Imaging and BJC Healthcare have filed lawsuits against the providers, alleging security failings were behind the massive data compromises caused by ransomware and phishing incidents, respectively. 

On August 26, Arizona-based Assured Imaging, a mobile digital mammography provider, began notifying 244,813 patients that their data was potentially breached after a ransomware attack, which lasted from May 15 to May 17. 

In the process, patient data was exfiltrated. But the investigation could not determine just what data was stolen. A review of all impacted systems found that the hacker could have accessed patient names, contact details, medical histories, patient IDs, provided services, testing recommendations, and other sensitive information. 

What’s worse, Pysa or Mespinoza ransomware threat actors claimed they were behind the attack several weeks later. The hackers then posted “proofs” of the data they allegedly stole in an effort to force Assured Imaging into paying the ransom. 

The patients impacted by the breach filed a class-action lawsuit with the US District Court of Arizona, which alleges the victims “suffered ascertainable losses in the form of disruption of medical services, out-of-pocket expenses and the value of their time reasonably incurred to remedy or mitigate the effects of the attack.” 

READ MORE: Patient Data Privacy Lawsuit Against Google, UChicago Dismissed

The lawsuit further argues that Assured Imaging stored patient data on a computer system vulnerable to cyberattacks and the hack was a known risk. As a result of these security failings, the patient data was left in “a dangerous condition.” 

Further, the breach victims alleged that “had Assured properly monitored its property, it would have discovered the intrusion sooner."

It should be noted that Pysa or Mespinoza threat actors are part of the ongoing double extortion hacking trend, where through sophisticated means, hackers gain a foothold onto a network and hide on the victim's servers for days and even months before launching the final ransomware payload. 

Lastly, the lawsuit claims the Assured Imaging failed to comply with FTC guidelines and the minimum industry standards for data security, including applying all security updates, training and supervising employees on properly handling inbound emails, implementing policies and procedures to restrict access to patient health information, and failing to encrypt ePHI, among other assertions. 

“There is a strong probability that entire batches of stolen information have been dumped on the black market and are yet to be dumped on the black market, meaning [patients] are at an increased risk of fraud and identity theft for many years into the future,” according to the lawsuit. “Thus, [patients] must vigilantly monitor their financial and medical accounts for many years to come.” 

BJC Healthcare

READ MORE: Judge Dismisses Heritage Valley Malware Lawsuit Against Nuance

For BJC Healthcare, the lawsuit stems from a phishing attack first reported in May, which affected 19 hospitals affiliated with the Missouri-based health system. 

On March 6, three employees fell victim to the phishing scheme that officials said was detected the same day. The accounts were secured shortly after, but the investigation could not determine just what, if any, patient information, emails, or attachments were viewed by the attacker during the incident. 

BJC then reviewed all of the emails in the impacted accounts to determine what patients needed to be notified. The compromised accounts contained a trove of data that varied by patient, including medical record or patient account numbers, treatments, medications, Social Security numbers, health insurance information, provider names, and a host of other details. 

About 287,876 patients were affected by the incident. It was the third data breach reported by the health system in the last two years: the misconfiguration of a data server in March 2018 exposed the data of 33,420 patients for nearly a year, and a later malware attack potentially allowed hackers to intercept the financial transactions of 5,850 patients for about a month. 

Patients filed a class-action lawsuit against BJC in response to the latest breach, claiming that as a result of BJC’s “failure to implement and follow basics security procedures, the PHI of patients was made accessible to thieves.” 

READ MORE: Aveanna Healthcare Faces Lawsuit Over Monthlong Data Breach

As a result, the breach victims are now at an increased risk of additional instances of identity theft and resulting losses, and are “immediately and imminently in danger of sustaining some or further direct injury/injuries as a result of the identity theft they suffered when [BJC] did not protect and secure the PHI and disclosed the PHI to hackers.” 

“These further instances of identity theft are impending and imminent,” according to the lawsuit. “The PHI has all the information wrongdoers need, and the American government and financial system require, to completely and absolutely misuse [patients’] identity to their detriment.” 

Further, the lawsuit claims BJC did not adequately encrypt, if at all, PHI and failed to follow contractually agreed upon industry-standard security standards, including a failure to comply with HIPAA and the HITECH Act.  

Security leaders have consistently stressed that healthcare data breach lawsuits will continue to grow in frequency, given the number, size, and impact of modern security incidents. However, there’s currently no clear path to the conclusion of these lawsuits. 

Many breach lawsuits are settled out of court, so there are variances as to what constitutes actual harm in regard to data theft or exposure. Recent instances shine a light on these issues, such as Episcopal Health Services, Grays Harbor Community Hospital, LabCorp, Banner Health, and UnityPoint Health, just to name a few.