Johns Hopkins Facing Multiple Lawsuits Over MOVEit Data Breach
Two lawsuits have recently been filed in the U.S. District Court for the District of Maryland against Johns Hopkins University and Johns Hopkins Health System that allege a failure to properly secure and safeguard the protected health information of patients, resulting in the theft of their data by the Clop ransomware group.
In May 2023, the Clop ransomware group targeted a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution. The attacks occurred in late May and affected more than 150 organizations, resulting in the theft of the personal and protected health information of millions of individuals. Johns Hopkins has yet to confirm how many staff members, students, and patients were affected as the investigation into the incident has not yet concluded but has said names, addresses, dates of birth, and Social Security numbers were stolen in the attack.
The two lawsuits make similar claims and allege a failure to implement appropriate security safeguards to protect personally identifiable information (PII) and protected health information (PHI). One of the lawsuits, filed on July 7 naming Pamela Hunter as plaintiff, claims the attackers stole the sensitive data of tens and possibly hundreds of thousands of individuals as a result of the defendants “intentionally, willfully, recklessly, or negligently failing to take and implement adequate and reasonable measures to ensure that Plaintiff’s and Class Members’ PHI/PII was safeguarded,” and “failing to follow applicable, required and appropriate protocols, policies, and procedures regarding the encryption of data, even for internal use.”
The lawsuit also alleges the defendants did not meet their obligations under the HIPAA Privacy and Security Rules regarding the safeguarding of protected health information, and the HIPAA Breach Notification Rule by unnecessarily delaying breach notifications. The lawsuit alleges negligence, breach of implied contract, breach of the implied covenant of good faith and fair dealing, and unjust enrichment. A second lawsuit was filed on July 10 naming Maria Gregory and Ayomiposi Asaolu as plaintiffs that makes similar claims about the failure to protect PII/PHI. The lawsuit alleges negligence, negligence per se, breach of fiduciary duty, breach of confidence, intrusion upon seclusion/invasion of privacy, breach of implied contract, and unjust enrichment.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Both lawsuits allege the plaintiffs and class members have been harmed as a result of the data breach and claim an injury has been suffered in the form of lost time and money protecting against identity theft and fraud, diminution of the value of their PHI/PII, anxiety over the impact of the data breach, and an imminent and substantial risk of identity theft and fraud due to the theft of their sensitive data. The lawsuits seek damages and injunctive relief and suggest a list of measures that should be implemented to prevent similar data breaches in the future.
The lawsuits are likely to hinge on whether the plaintiffs are determined to have suffered a concrete injury as a result of the data breach, and whether any such injury can be attributed to this specific data breach. Pamela Hunter and the class are represented by Courtney L. Weiner and Laukaitis Law LLC, and Maria Gregory and Ayomiposi Asaolu and the class are represented by Tycko & Zavareei LLP and Edelson Lechtzin LLP.
