in Newswire Published on October 27, 2022

Keystone Health Hit with Class Action Over 2022 Data Breach Affecting 235K Patients

by Kelly Mehorter

View Comments

Whitehead v. Keystone Health

Filed: October 25, 2022 § 1:22-cv-01678-CCC

Read Complaint

A class action alleges Keystone Health failed to prevent a 2022 data breach that compromised the personal and health information of 235,237 individuals.

Defendant(s)

Keystone Health

Law(s)

Health Insurance Portability and Accountability Act

State(s)

Pennsylvania

Categories

Privacy Data Breach

A proposed class action alleges Keystone Health failed to prevent a 2022 data breach that compromised the personal and health information of approximately 235,237 individuals.

According to the 60-page case, the healthcare provider's failure to implement adequate cybersecurity measures allowed cybercriminals to access its network between July 28 and August 19, 2022. The breach exposed the names, Social Security numbers and clinical health information of 235,237 patients, the filing relays.

The complaint claims that Keystone Health detected the cyberattack on August 19 but waited until October 14, 2022 to notify affected individuals.

"As a result of this delayed response, Plaintiff and Class Members had no idea their Private Information had been compromised, and that they were, and continue to be, at significant risk of identity theft and various other forms of personal, social, and financial harm," the suit states. "The risk will remain for their respective lifetimes."

The case argues that Keystone Health "intentionally, willfully, recklessly and/or negligently" disregarded patients' rights given the foreseeable nature of ransomware attacks. Cybersecurity firm Mimecast found that 90 percent of healthcare organizations experienced cyberattacks in 2020, the filing relays.

Per the complaint, Keystone Health has violated its obligations under the Health Insurance Portability and Accountability Act (HIPAA) by failing to properly secure or encrypt the sensitive data stored in its system. Moreover, Keystone Health has overlooked minimum industry standards for cybersecurity, Federal Trade Commission guidelines for data security and promises in its privacy policy to safeguard patients' information, the suit alleges.

The filing contends that Keystone Health "could and should have" implemented security measures recommended by the U.S. Cybersecurity & Infrastructure Security Agency or the Microsoft Threat Protection Intelligence Team but instead chose not to address its "computer systems in need of security upgrades" and "inadequate procedures for handling email phishing attacks, viruses, malignant computer code, [and] hacking attacks."  

The lawsuit looks to represent anyone whose private information was actually or potentially accessed or acquired during the Keystone Health data breach.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.

Case Spotlight

Hair Relaxer Lawsuits

Women who developed ovarian or uterine cancer after using hair relaxers such as Dark & Lovely and Motions may now have an opportunity to take legal action.

Read more here: Hair Relaxer Cancer Lawsuits

ClassAction.org Newsletter

Stay Current

Sign Up For
Our Newsletter

New cases and investigations, settlement deadlines, and news straight to your inbox.

This browser does not support PDFs. Please download the PDF to view it: Download PDF.
Open Document
Last Updated on October 27, 2022 — 9:11 AM

Kelly Mehorter

kelly@classaction.org

Kelly works primarily on ClassAction.org’s newswire, reporting on cases as they happen.

About ClassAction.org

ClassAction.org is a group of online professionals (designers, developers and writers) with years of experience in the legal industry.

Learn More

Before commenting, please review our comment policy.