A proposed class action alleges Keystone Health failed to prevent a 2022 data breach that compromised the personal and health information of approximately 235,237 individuals.
According to the 60-page case, the healthcare provider's failure to implement adequate cybersecurity measures allowed cybercriminals to access its network between July 28 and August 19, 2022. The breach exposed the names, Social Security numbers and clinical health information of 235,237 patients, the filing relays.
The complaint claims that Keystone Health detected the cyberattack on August 19 but waited until October 14, 2022 to notify affected individuals.
"As a result of this delayed response, Plaintiff and Class Members had no idea their Private Information had been compromised, and that they were, and continue to be, at significant risk of identity theft and various other forms of personal, social, and financial harm," the suit states. "The risk will remain for their respective lifetimes."
The case argues that Keystone Health "intentionally, willfully, recklessly and/or negligently" disregarded patients' rights given the foreseeable nature of ransomware attacks. Cybersecurity firm Mimecast found that 90 percent of healthcare organizations experienced cyberattacks in 2020, the filing relays.