Assured Imaging, LLC is on the receiving end of a proposed class action filed over a May 2020 ransomware attack in which the private medical and personal information of roughly 244,813 patients was reportedly compromised.
The lawsuit alleges Assured Imaging, a mobile digital mammography provider, maintained patients’ data “in a reckless manner,” in particular by storing the information on a computer network vulnerable to cyberattacks. Per the complaint, the improper disclosure of patients’ data was a “known risk” to the defendant, whose failure to take steps to secure the information left it in “a dangerous condition.”
The suit further claims the defendant only became aware of the fact that its systems were compromised once the ransomware attack was initiated, apparently due to Assured’s failure to properly monitor the network and systems that housed patients’ personal data.
“Had ASSURED properly monitored its property, it would have discovered the intrusion sooner,” the case surmises.
According to the lawsuit, the cybersecurity incident began on May 15, 2020, when at least one Assured Imaging employee “opened the door for malignant software” to infect the company’s networks through an email. Between May 15 and May 17, cyberthieves had “unfettered access” to Assured Imaging’s computer systems and ultimately exfiltrated patients’ data, the suit says.
Per the case, the compromised information included patients’ names, addresses, dates of birth, patient IDs, facilities used, treating clinicians’ names, medical histories, services performed, assessments of those services, recommendations for future testing and other protected health and personal information.
Per the complaint, Assured Imaging was unaware that its systems had been compromised until May 19, when the cyberthieves launched a targeted ransomware attack. A ransomware virus, the case explains, is often the “final piece of a multiphase coordinated cyber-attack,” and usually involves hackers stealing and encrypting information within a target’s systems and then locking them down until the target pays a ransom.
According to the suit, the attack on Assured Imagining shut down its electronic medical record (EMR) system, which contains “considerable amounts” of protected health information. As the case tells it, disrupting a medical care provider’s EMR system, which the suit describes as the “brains of a hospital,” both blocks medical staff from accessing the vital information they need to perform “the most basic parts of their jobs” and diminishes their already limited time to treat patients.
Assured Imaging’s EMR system was shut down for days while the defendant worked to restore the encrypted files from backups, the lawsuit says.
Despite learning of the attack on May 19, it wasn’t until August 26, 2020 that Assured Imaging began notifying affected patients and various government agencies of the data breach, the case relays.
In a notice sent to patients, the healthcare provider reportedly stated it was “unaware of any misuse of any personal information contained within the impacted system” yet encouraged individuals to “remain vigilant” by reviewing their account statements and explanations of benefits for unusual activity.
The lawsuit alleges Assured Imaging failed to comply with Federal Trade Commission guidelines, much less minimum industry standards regarding data security.
The case details a laundry list of alleged missteps on Assured Imaging’s part, including its apparent failures to:
Maintain an adequate data security system;
Properly monitor its security system;
Apply all available security updates;
Install the latest software patches, update firewalls, check user account privileges, or ensure proper security practices;
Avoid the use of domain-wide, admin-level service accounts;
Employ or enforce the use of strong randomized, just-in-time local administrator passwords;
Train and supervise employees in the proper handling of inbound emails;
Ensure the confidentiality and integrity of protected health information (PHI);
Implement policies and procedures to restrict access to PHI, prevent and detect security violations, and review system activity;
Protect against reasonably anticipated threats;
Train workers on and ensure compliance with HIPAA security standards; and
Encrypt patients’ electronic PHI.
“As the result of computer systems in dire need of security upgrading, inadequate procedures for handling emails containing ransomware or other malignant computer code, and inadequately trained employees who opened files containing the ransomware virus, Defendant ASSURED negligently and unlawfully failed to safeguard Plaintiffs’ and Class Members’ Private Information,” the complaint scathes.
Patients affected by the data breach not only suffered a disruption of their medical care but have been exposed to an increased risk of identity theft and fraud for an undetermined amount of time, the case alleges, warning against what could happen to the stolen information.
“There is a strong probability that entire batches of stolen information have been dumped on the black market and are yet to be dumped on the black market, meaning Plaintiffs and Class Members are at an increased risk of fraud and identity theft for many years into the future,” the lawsuit reads. “Thus, Plaintiffs and Class Members must vigilantly monitor their financial and medical accounts for many years to come.”
The suit looks to cover anyone whose personally identifiable information and protected health information were compromised as a result of the ransomware attack discovered by Assured Imaging around May 19, 2020.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.