Tampa Bay’s Florida Orthopaedic Institute (FOI) faces a proposed class action lawsuit after an April 2020 data breach exposed the personal information of up to 150,000 patients.
According to the case, a ransomware attack on April 9, 2020 allowed unauthorized third parties to access the private information of between 100,000 and 150,000 FOI patients. Per the complaint, the data exposed in the breach included patients’ names, social security numbers, dates of birth, addresses, diagnosis codes, financial information, and treatment information.
Filed in Hillsborough County Circuit Court against Musculoskeletal Institute, Chartered, which does business as FOI, the lawsuit claims the defendant’s failure to implement and follow “basic security procedures,” coupled with its inadequate response to the breach, is to blame for patients’ sensitive data falling into “the hands of thieves and unknown criminals.” Described in the case as “one of the largest conglomerates of orthopaedic offices,” FOI failed to adequately investigate the security incident to determine the scope and expanse of the breach and then waited “more than two months” before notifying affected patients, the suit alleges.
A June 18 letter was the first notice informing FOI patients that their data may have been compromised, according to the case. The lawsuit alleges the letter failed to inform patients of the actual date of the breach, much less explain why the defendant waited over two months after learning of the incident to notify those affected.
Per the complaint, the June 2020 letter also downplayed the seriousness of the breach “in deliberate disregard” of the fact that patients’ sensitive information was “readily viewable” by unauthorized third parties. The case alleges that the “simple boilerplate language” in the letter evidences the defendant’s lack of concern as to the seriousness of the breach, adding that FOI failed to describe the investigation effort or whether law enforcement was involved.
Further, the lawsuit claims the defendant’s offer of an identity monitoring service to affected patients is a “woefully insufficient remedy” given the nature of proposed class members’ damages, noting that patients have only three months to sign up for the offer “even though the security of that [personally identifiable information] is forever compromised and Plaintiffs and Class Members are forever at risk of future misuse.”
All told, the case claims FOI’s approach to maintaining the privacy of proposed class members’ information was not only “lackadaisical, cavalier, reckless, or in the very least, negligent,” but failed to comply with the Health Insurance Portability and Accountability Act (HIPAA) and industry standards.
The consequences of the defendant’s actions are “long lasting and severe,” as patients will be at a heightened risk of identity theft and fraud for years to come, the suit says.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.