A proposed class action lawsuit looks to represent more than 150,000 Personal Touch home healthcare patients and caregivers whose data was improperly accessed during a ransomware attack on Crossroads Technologies’ cloud-based data center last year.
According to the 48-page lawsuit, Crossroads informed Personal Touch on December 1, 2019 that it was hit by a ransomware attack that essentially held hostage electronic records containing confidential patient medical data, making such inaccessible until a fee was paid. In all, the case says, the personal information of 156,409 patients and caregivers across six states was impacted, and medical care and treatment were disrupted given Personal Touch’s record system was offline.
The suit says the data compromised in the incident included patient names, addresses, telephone numbers, birth dates, health insurance card numbers, plan benefit details, Social Security numbers and treatment information. Despite being made aware of the incident on December 1, 2019, Personal Touch did not send notification to affected patients and caregivers until January 28, 2020, the lawsuit notes.
As the case tells it, the defendants maintained proposed class members’ information in a reckless manner and in a condition on a cloud storage network vulnerable to ransomware attacks and data breaches. The complaint charges that the Personal Touch ransomware attack was the result of “computer systems in dire need of security upgrading,” as well as inadequate procedures for handling potentially dangerous emails, and insufficient employee training to be vigilant against bad actors and cyber thieves. For its part, Crossroads, the case claims, failed to properly monitor the computer systems and network containing Personal Touch patient and caregiver data.
“Had Crossroads properly monitored its property, it would have discovered the intrusion sooner,” according to the lawsuit.
In addition to having their daily lives and medical treatment disrupted by the cyber incident, proposed class members now face a heightened risk of identity theft and fraud as a result of the defendants’ negligent conduct, the lawsuit claims. Additionally, proposed class members may incur out-of-pocket costs related to monitoring their financial accounts and identities and other protective measures.