- A class-action lawsuit was filed against Baltimore-based LifeBridge Health on Thursday over its 2016 health data breach, disclosed to the public in May 2018.
According to the release, law firm Murphy, Falcon and Murphy filed the statewide suit in Maryland on behalf of the 530,000 patients impacted by the September 2016 breach. The attorneys claimed LifeBridge failed to “ensure the integrity of its servers and to properly safeguard patients' highly sensitive and confidential information.”
On March 18, LifeBridge discovered the malware attack on one of its EHR servers of Potomac Physicians, one of the provider’s physician practices, and the shared registration and billing system for other LifeBridge providers.
However, the investigation determined the initial breach occurred 18 months earlier in September 2016. During this time, hackers had access to the infected systems. The breached data included patient names, addresses, dates of birth, medication details, diagnoses, insurance data, clinical and treatment information. And for some patients, Social Security numbers were compromised.
The lawsuit alleges that LifeBridge should have known about the breach well before the discovery date and exposed patients to harm. Further, the suit argues that the conduct violated several privacy regulations including, the Maryland Consumer Protection Act, the Social Security Number Privacy Act, and the Maryland Personal Information Act.
“LifeBridge's failure to protect their patients' information demonstrates a serious lack of judgment and oversight,” Hassan Murphy, Managing Partner at Murphy, Falcon and Murphy, said in a statement. “[They] should have implemented appropriate and adequate technological safeguards to prevent such a massive cyberbreach from occurring, and certainly should have notified its patients immediately after learning of the breach.”
“This data breach has compromised every aspect of these patients' personal identities and has subjected them to significant harm,” he added. “We will continue working until LifeBridge fixes this problem and makes these victims whole.”
Jahima Scott and Darlene Johnson are named as defendants in the lawsuit as two affected consumers. According to court documents, Scott became a victim of credit card fraud shortly after the LifeBridge breach was announced.
Scott and Johnson argued they’ve spent money, effort, and time monitoring accounts for fraudulent activity and are seeking damages in excess of $30,000.
Breach lawsuits are not uncommon, but most are often dismissed due to the lack of evidence of physical harm caused by the event. The lawsuit against CareFirst for its 2014 data breach of 1.1 million members has moved around Maryland circuit courts in recent years, focused on the premise of harm.
In August 2017, a U.S. Court of Appeals in the District of Columbia allowed the lawsuit to continue. CareFirst argued that if the Supreme Court did not hear its case, companies in every sector would be hit with a “flood” of data breaches in the future. The Supreme Court declined to hear its case.