Maternal & Family Health Services Sued Over Ransomware Attack and Data Breach
A lawsuit has been filed against Maternal & Family Health Services (MFHS) in Pennsylvania which alleges the healthcare provider failed to protect patient data and did not send timely breach notifications.
In January 2023, MFHS, one of the largest healthcare providers in the state, notified approximately 461,000 current and former patients about a security breach. According to the notifications, unauthorized individuals gained access to its network and used ransomware to encrypt files. MFHS said the sophisticated ransomware attack was discovered in April 2022. The forensic investigation confirmed the attackers had access to its network between August 2021 and April 2022, during which time they had access to, and potentially stole, patient data such as names, addresses, dates of birth, Social Security numbers, driver’s license numbers, financial account/payment card information, medical information, and health insurance information. At the time of issuing notifications, misuse of patient data had not been detected; however, as a precaution, complimentary credit monitoring and identity theft protection services were offered to affected patients.
On March 3, 2023, a lawsuit was filed against the Wilkes-Barre-based healthcare provider in the U.S. District Court for the Middle District of Pennsylvania. The lawsuit alleges negligence, breach of contract, breach of implied contract, breach of fiduciary duty, and breach of confidence. According to the lawsuit, MFHS was negligent by failing to implement reasonable and appropriate safeguards to protect the privacy of patients, then failed to issue timely notifications when the breach was detected.
The lawsuit names Chris Izquierdo of Scranton, PA as the lead plaintiff. Izquierdo, a former patient of MFHS, was notified about the data breach in January 2023 and claims his protected health information was stolen in the attack and has been misused. At least five credit card accounts were opened in his name in Florida since the breach occurred, and charges have been applied to those accounts. Izquierdo claims he has been told he must pay the interest accrued on those cards. The lawsuit also takes issue with the delay in notifications, which were sent almost 9 months after the breach was detected, when the HIPAA Breach Notification Rule requires notifications to be issued within 60 days of the discovery of a data breach.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The lawsuit seeks damages, injunctive relief requiring MFHS to implement comprehensive cybersecurity measures to better protect patient data, and attorneys’ fees and legal costs. The plaintiff is represented by Gazda Penetar PC and Morgan & Morgan.
