A class-action lawsuit was recently filed against Baltimore-based LifeBridge Health over its 2016 health data breach, discovered and disclosed to the public in May 2018. This Baltimore provider discovered malware on its EHR server, but the initial cyberattack began in September 2016, as reported by HealthITSecurity. The lawsuit alleges officials should have known sooner.
According to the release, law firm Murphy, Falcon and Murphy filed the statewide suit in Maryland on behalf of the 530,000 patients impacted by the September 2016 breach. The attorneys claimed LifeBridge failed to “ensure the integrity of its servers and to properly safeguard patients' highly sensitive and confidential information.”
In early 2018, LifeBridge discovered the malware attack on one of its EHR servers of Potomac Physicians, one of the provider’s physician practices, and the shared registration and billing system for other LifeBridge providers.
However, the investigation determined the initial breach occurred 18 months earlier in September 2016. During this time, hackers had access to the infected systems. The breached data included patient names, addresses, dates of birth, medication details, diagnoses, insurance data, clinical and treatment information. And for some patients, Social Security numbers were compromised.
The lawsuit alleges that LifeBridge should have known about the breach well before the discovery date and exposed patients to harm. Further, the suit argues that the conduct violated several privacy regulations including, the Maryland Consumer Protection Act, the Social Security Number Privacy Act, and the Maryland Personal Information Act.
Jahima Scott and Darlene Johnson are named as defendants in the lawsuit as two affected consumers. According to court documents, Scott became a victim of credit card fraud shortly after the LifeBridge breach was announced. Scott and Johnson argued they’ve spent money, effort, and time monitoring accounts for fraudulent activity and are seeking damages in excess of $30,000.
Risk assessments and periodic compliance scans are critical and would have yielded evidence of this breach sooner, Healthcare organizations should adhere to a schedule of security activities and staff training to ensure the sanctity of patient information. Contact HIPAAcraticRx to institute such a program for your medical practice.