Munson Healthcare is on the receiving end of a proposed class action over its alleged failure to prevent and mitigate the effects of a data breach that impacted more than 75,000 of the north Michigan hospital system’s patients.
According to the 33-page case out of Michigan district court, unauthorized third parties gained access to the email accounts of a “stunning” 29 Munson employees who fell victim to a phishing scheme around July 2019. The email accounts, which the case says were exposed between July 31 and October 22, 2019, allegedly contained the sensitive personal and medical information of thousands of individuals who were patients at Munson’s nine hospitals and healthcare facilities.
The compromised data included names, addresses, Social Security numbers, credit card and bank account information, treatment and diagnostic information, and insurance details, the suit says.
Although Munson later maintained that it was “responding all along” to the phishing incident, claiming it hired an outside cybersecurity firm in August, the hospital operator stated in a February 26 announcement that the breach was “discovered on January 16, 2020,” the date supposed investigators “concluded their investigation,” according to the lawsuit. Despite the discovery, Munson waited until late February to notify affected patients that their information may have been compromised, the case says.
The lawsuit argues that Munson’s failure to implement sufficient safeguards, such as complex data encryption, and provide adequate employee cybersecurity training were to blame for the security incident.
“If Defendant had encrypted emails containing PII [personally identifiable information], even if cyber attackers accessed the employee emails, the cyber attackers would not have been able to read them,” the complaint alleges. “Similarly, if Defendant’s employees had two-factor authentication to access their email, it is unlikely that cyber attackers could have carried out the Breach.”
Further, the lawsuit chides Munson for neglecting to properly maintain patients’ sensitive data, and putting individuals “at serious and ongoing risk of identity theft,” in light of the prevalence of cybersecurity threats within the healthcare industry and availability of appropriate safeguards. The complaint notes Munson was targeted in a 2018 phone phishing scheme, which saw some Northwest Michigan residents receive phone calls in which an actor or prerecorded voice attempted to trick consumers into turning over personal information.
The lawsuit looks to cover anyone in the U.S. whose personally identifiable information maintained by the defendant was compromised as a result of the breach announced around January 2020, with a proposed subclass of Michigan residents who meet the same criteria.