After experiencing a cyberattack on its computer systems in June, Lamoille Health Partners is being sued in federal court for not being adequately prepared for the attack.
A lawsuit filed Sept. 1 in Vermont’s federal court alleges that patients’ personal information “is now in the hands of data thieves.”
The lawsuit claims those data thieves can commit a variety of crimes, such as taking out loans and opening new financial accounts, filing fraudulent tax returns, obtaining drivers’ licenses and giving police false information during an arrest, all using patients’ names and other information.
The lead plaintiff is Patricia Marshall, a Saint Albans resident. She and any class action members are demanding compensatory damages and reimbursement of out-of-pocket costs as well as requiring Lamoille Health Partners to improve its data security systems, annual audits and credit monitoring services.
Matthew Byrne, of the Burlington law firm Gravel & Shea, filed the lawsuit, which claims Lamoille Health Partners failed to comply with Federal Trade Commission guidelines and industry standards, and violated standards spelled out by the Health Insurance Portability and Accountability Act (HIPAA).
The 52-page lawsuit alleges 16 “negligent acts” by the health care organization, all of which claim that the organization failed to maintain an adequate data security system and properly monitor it to reduce the risk of data breaches; failed to adequately protect patients’ private information; failed to have proper procedures for handling data; and violated federal privacy and cybersecurity laws and industry guidelines.
“As the result of antivirus and malware protection software in dire need of security updating, inadequate procedures for handling phishing emails or emails containing viruses or other malignant computer code, and other failures to maintain its networks in configuration that would protect against cyberattacks like the ransomware intrusion here, Defendant negligently and unlawfully failed to safeguard Plaintiff’s and Class Members’ Private Information by allowing cyberthieves to access, and hold hostage, LHP’s IT systems, which contained unsecured and unencrypted Private Information,” the lawsuit states.
According to the suit, the health center did not indicate to the Vermont Attorney General’s office or the patients involved in the class action lawsuit whether it got the personal information back from the culprits, or how long they had access to the data.
The lawsuit claims the risks to the plaintiffs “will remain for their respective lifetimes.”
Lamoille Health Partners CEO Stuart May said the organization’s lawyers will answer the suit — there had been no answer filed as of press deadline — and he would not comment in depth on the suit’s merits. He did, however, reiterate what he said to the newspaper earlier this summer when reporting the security breach.
“We take safeguarding patient information and partnering with patients to help maximize their health status very seriously,” May said Wednesday.
The U.S. health care industry has in recent years become a top target for cyberattacks, a point the lawsuit brings up as part of its argument that Lamoille Health Partners ought to have known better.
Citing statistics from the Identity Theft Resource Center, the lawsuit states there were a record 1,862 data breaches reported last year in America, which resulted in 294 million “sensitive records” being exposed. Of those breaches, 17.7 percent were in the medical or health care industry, potentially compromising 28 million sensitive records.
“Cyberattacks have become so notorious that the Federal Bureau of Investigation and U.S. Secret Service have issued a warning to potential targets so they are aware of, and prepared for, a potential attack,” the lawsuit states, continuing later, “in light of the above, the increase in such attacks, and attendant risk of future attacks, was widely known to the public and to anyone in Defendant’s industry, including Defendant.”
The suit also claims Lamoille Health Partners did not indicate if it paid any money to recover the data.
May told the News & Citizen last month that the organization did not pay a ransom.
