A proposed class action lawsuit claims Memorial Hospital at Gulfport Foundation, Inc. failed to properly protect patients’ personal information and timely alert those affected by an alleged data breach.
The case claims the Mississippi hospital discovered in December 2018 that an employee’s email account had been compromised due to an email phishing scam and that, as a result, a malevolent actor had gained “unfettered access” to about 30,000 patient records over an 11-day period. The suit states that although the reportedly “preventable” breach was discovered by the hospital in December 2018, the defendant waited until well into February 2019 to notify patients whose personally identifiable information was exposed. Data allegedly leaked in the breach included patients’ names, dates of birth, health insurance and healthcare information, Social Security numbers, and other personal details.
According to the complaint, the breach stemmed from the defendants’ failure to implement “adequate and reasonable” cybersecurity measures such as those recommended by the federal government. The case notes that the Federal Trade Commission (FTC) has published materials detailing specific cybersecurity best practices with regard to protecting sensitive personal information. To protect user data, the FTC recommends that companies:
Encrypt information stored on computer networks;
Understand network vulnerabilities;
Properly dispose of personal information that’s no longer needed;
Implement policies to correct security problems;
Use intrusion detection systems to immediately expose breaches;
Monitor all incoming traffic for activity that could indicate an attempted hack;
Watch for large amounts of data being transmitted from the system; and
Have a response plan ready in the event of a breach.
The case contends that the defendant failed to abide by these recommendations and other reasonable cybersecurity measures.
The lawsuit stresses that phishing scams like the one that caused the Memorial Hospital breach are well known within the cybersecurity community and easily preventable. According to the case, the fact that the defendant was victimized by such a common and easily avoidable scheme shows that its employees were not well trained in basic cybersecurity. From the complaint:
“Unfortunately, MHG failed to employ any of these defenses to the detriment of Plaintiff and tens of thousands of Class Members. As evidenced by the success of the phishing attack, it is clear that MHG failed to ensure that its employees were adequately trained on even the most basic of cybersecurity protocols, including:
How to detect phishing e-mails;
Effective password management and encryption protocols for internal and external e-mails;
Avoiding responding to e-mails that are suspicious or from unknown sources;
Locking, encrypting and limiting access to computers and files containing sensitive information; and
Implementing guidelines for maintaining sensitive data.”
The complaint rounds out by alleging that the defendant’s apparent failure to safeguard patient information is a violation of the Health Insurance Portability and Accountability Act—HIPAA—which lays out specific privacy rules to ensure the “confidentiality, integrity and security” of individuals’ medical data.