The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Lamoille Health Partners Facing Class Action Lawsuit Over 58K-Record Data Breach

Posted By on Sep 7, 2022

The Morristown, VT-based healthcare provider, Lamoille Health Partners, is facing a class action lawsuit over a June 2022 ransomware attack that affected almost 60,000 of its patients.

The attack was detected on June 13, 2022, with the investigation confirming the attackers gained access to its network the previous day. Before file encryption, the attackers potentially accessed or acquired documents from its systems that contained names, addresses, dates of birth, Social Security numbers, health insurance information, and medical treatment information.

On or around August 11, 2022, notification letters were sent to affected individuals, and complimentary identity protection and credit monitoring services were offered to patients whose Social Security numbers were potentially stolen. Lamoille Health Partners said the delay in issuing notification letters was due to the length of the investigation to establish which individuals had been affected and the types of information involved. The breach was reported to the HHS’ Office for Civil Rights as affecting 59,381 patients.

As is now common following healthcare data breaches, legal action is being taken by patients who had their protected health information exposed. The lawsuit alleges Lamoille Health Partners failed to implement appropriate safeguards to ensure the confidentiality of the protected health information stored on its systems, in violation of the HIPAA Security Rule. The plaintiff – Patricia Marshall –  says the negligence of Lamoille Health Partners means her sensitive information is in the hands of cybercriminals and she and the class members face an imminent and ongoing risk of identity theft and fraud.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The lawsuit also alleges there was an unnecessary delay in issuing notification letters to affected individuals, even though notification letters were sent within the 60-days allowed by the HIPAA Breach Notification Rule. The lawsuit – Marshall v. Lamoille Health Partners Inc. – was filed in the U.S. District Court for the District of Vermont on September 1, 2022, and seeks compensatory damages for the plaintiff and class members, and injunctive relief, requiring Lamoille Health Partners to implement further security measures to better protect patient data. The plaintiff is represented by Burlington, VT, lawyer Matthew B. Byrne of Gravel and Shea.

Update April 3, 2024: A $540,000 settlement has been proposed to resolve all claims made in the lawsuit.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist