Einstein Healthcare Network faces a proposed class action lawsuit over an August 2020 data breach that reportedly affected upward of 353,000 individuals.
According to the case out of Philadelphia County’s Court of Common Pleas, the healthcare provider failed to implement basic cybersecurity procedures to protect patients’ personal information and, despite learning of the breach, has not properly disclosed its full scope to those affected. The suit alleges Einstein’s patients now face a heightened risk of identity theft and fraud as a result of the defendant’s conduct.
“As a result of Einstein’s failure to implement and follow basic security procedures, Plaintiff’s and Class Members’ [personal health information] is now in the hands of criminals,” the complaint claims. “Plaintiff and Class Members now and will forever face a substantial increased risk of identity theft. Consequently, Plaintiff and Class Members have had to spend, and will continue to spend, significant time and money in the future to protect themselves due to Einstein’s failures.”
The lawsuit states that Einstein, whose healthcare network consists of three hospitals, 15 outpatient centers and 31 primary care practice locations in the Greater Philadelphia area, discovered in August 2020 suspicious activity within several of its employees’ email accounts. After opening an investigation, the defendant determined that an unauthorized party had gained access to the workers’ email accounts between August 5 and August 17, 2020, the case relays.
Information allegedly exposed in the breach included patients’ names; dates of birth; medical record and patient account numbers; health insurance information; and treatment information, such as diagnoses, medications, providers, types of treatment and treatment locations. In some instances, patients’ Social Security numbers were also exposed, the lawsuit adds.
The case alleges that although Einstein sent notification letters to affected patients, many of the letters were “untimely and woefully deficient,” with some sent two months after the investigation concluded. Per the suit, Einstein failed to provide “basic details” concerning the breach, and offered one year of credit monitoring and identity protection only to those whose Social Security numbers were compromised. Other patients whose sensitive medical information was exposed have been offered no means of protecting themselves against “inevitable fraud and identity theft,” and instead warned to simply “review statements” from their health insurer or healthcare provider to keep an eye out for “services [they] did not receive,” the suit says.
According to the complaint, Einstein “downplayed the seriousness of the incident” by informing affected patients that “there is no evidence that any of your information was actually viewed by the unauthorized person or that it has been misused.” The suit claims this “boilerplate language” demonstrates Einstein’s “lack of concern for the seriousness of the Data Breach,” the details of which the healthcare provider supposedly has yet to fully disclose, according to the case. From the complaint:
“To date, Einstein has not yet disclosed full details of the Data Breach. Without such disclosure, questions remain as to the full extent of the Data Breach, the number of patients involved, the actual data accessed and compromised, and what measures, if any, Einstein has taken to secure the [personal health information] still in its possession.”
The lawsuit characterizes Einstein’s approach to data security as “lackadaisical, cavalier, reckless, or in the very least, negligent.”
The lawsuit looks to cover anyone whose personal health information was compromised in the Einstein Healthcare Network data breach that occurred in August 2020.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.