Lawsuit Against Clinic Seeks Long List of Cyber ImprovementsProposed Class Action Filed Over Data Exfiltration Breach Affecting Nearly 442,000
An Alabama cardiovascular clinic is facing a proposed class action lawsuit on behalf of the nearly 442,000 individuals affected by a data exfiltration breach reported last month to federal regulators that potentially compromised a wide range of sensitive patient information.
Besides monetary damages, the lawsuit against Cardiovascular Associates seeks injunctive relief to order the Birmingham clinic into a detailed list of measures ranging from implementing and maintaining a comprehensive information security program to requiring 10 years of annual, court-monitored SOC 2 Type 2 attestations conducted by an independent third-party assessor. The plaintiffs also demand that the clinic be enjoined from storing private information on a cloud-based database.
Among other claims, the lawsuit filed on Wednesday in federal court alleges the clinic neglected to safeguard patients' information on several fronts.
That includes alleged failure to comply with Federal Trade Commission guidelines, HIPAA regulations, and industry standards, such as those contained in the National Institute of Standards and Technology's Cybersecurity Framework.
As a result of these security deficiencies, class members are at risk of identity theft and fraud, the lawsuit alleges.
CVA declined Information Security Media Group's request for comment on the lawsuit and for additional details about the incident.
Incidents involving the exfiltration by hackers of vast troves of sensitive patient data are particularly worrisome, said attorney Jeff Westerman of the law firm Zimmerman Reed LLP, who is not involved in the lawsuit.
"When the hackers copy and remove data, that is a very bad breach scenario," he said. Data that CVA acknowledges hackers stole is "essentially the means that an individual uses to pay for things and identify themselves, like credit card information, Social Security numbers, driver's licenses and the other listed items," he added.
Exfiltration often translates into attackers using data for a secondary purpose, said regulatory attorney Rachel Rose, who is also not involved in the lawsuit.
"There is a greater risk to individuals that their information has been or will be posted on either the dark web or the internet. In turn, this gives class action members, as well as the government, a stronger basis for damages."
CVA reported the breach to the U.S. Department of Health and Human Services on Feb. 3 as a hacking incident involving a network server (see: 2 Health Data Hacks Affect More Than 1 Million Individuals).
In a breach notice, CVA says that it discovered the presence of hackers on Dec. 5, 2022.
Information potentially compromised in the incident was far-ranging. It includes names, birthdates, addresses, Social Security numbers, health insurance information, and medical and treatment information - including medical record number, dates of service, provider and facility names, procedure and diagnosis information, and possibly assessments, tests and imaging.
Also affected was billing and claims information - including account and claim status, billing and diagnostic codes, and payer information - passport and driver's license numbers and credit card, debit card and financial account information, CVA said.
The lawsuit complaint points out that CVA's breach notice does not contain a description of the type of data security incident that occurred, such as details about the incident's root cause or the type of vulnerabilities exploited.
"To date, these critical facts have not been explained or clarified to plaintiff and class members, who retain a vested interest in ensuring that their private information remains protected," the lawsuit alleges. "This 'disclosure' amounts to no real disclosure at all, as it fails to inform, with any degree of specificity."
The ramifications of CVA's alleged failure to keep secure the private information of plaintiff and class members "are long-lasting and severe," the lawsuit alleges. "Once private information is stolen - particularly Social Security numbers - fraudulent use of that information and damage to victims may continue for years."