The first lawsuit stemming from a February announcement that the University of Connecticut Health Center suffered a data breach impacting patient data has been filed in federal court.
UConn Health patient Yoselin Martinez filed a class action lawsuit on March 18 on behalf of herself and other former and current patients impacted by the breach. UConn Health announced on Feb. 25, nearly two months after the breach occurred on Dec. 24, that a hacker had gained access to employee email accounts through a phishing attack and exposed the personal data of more than 326,000 patients.
The information exposed included some personal and medical information, including some patients’ names, dates of birth, addresses and limited medical information, such as billing and appointment information. The lawsuit alleges that patients’ Social Security numbers were also exposed.
UConn Health officials did not immediately respond to a request for comment.
UCLA Health recently reached a proposed $7.5 million settlement for a class action lawsuit stemming from a massive data breach in May 2015 that potentially impacted 4.5 million patients.
Martinez alleges in the lawsuit that UConn Health failed to properly secure and safeguard patients’ personally identifiable information and failed to provide timely, accurate and adequate notice that their information had been compromised.
“UConn disregarded the rights of plaintiff and class members by intentionally, willfully, recklessly, or negligently failing to take adequate and reasonable measures to ensure its data systems were protected,” the lawsuit states. “The deficiencies in defendants’ data security protocols were so significant that the breach likely remained undetected for months. Intruders, therefore, had months to access, view, and steal patient data unabated. … Timely action by UConn would likely have significantly reduced the consequences of the breach.”
“Among other things, [UConn Health] failed to exercise reasonable care, and to implement adequate cybersecurity training, including, but not limited to, how to spot phishing emails from unauthorized senders,” according to the lawsuit.
In the lawsuit, Martinez alleges that shortly after being notified of the data breach in February, she checked her bank account, which had been overdrawn. Bank officials said the charge was the result of a fraudulent transaction on her account. The lawsuit alleges that Martinez and other patients will continue to be at “heightened risk for financial fraud and identity theft for years to come.”
The lawsuit cited a study by Experian which found that the average total cost of medical identity theft is about $20,000 per incident and that a majority of victims of medical identity theft were forced to pay out-of-pocket costs for healthcare they did not receive in order to restore coverage.
Despite well-publicized litigation and frequent public announcements of data breaches by medical and technology companies, UConn Health opted to maintain an “insufficient and inadequate system to protect the PHI and PII of patients,” the lawsuit states.
The lawsuit also describes UConn’s approach to maintaining the privacy of patients’ personally identifiable information and health information as “lackadaisical, cavalier, reckless, or at the very least negligent.”
The lawsuit seeks at least $5 million in damages and an injunction directing UConn Health to implement improved security procedures and measures.