The University of Connecticut (UConn) and UConn Health face a proposed class action lawsuit over the institution’s allegedly negligent failure to properly safeguard the personally identifiable medical information of the latter’s patients.
UConn Health, the case says, is a 224-bed teaching hospital that oversees clinical care, advanced biometric research, and medicinal education and offers emergency and out-patient services. UConn reportedly announced on February 25, 2019, that a hacker accessed a number of employee email accounts through a phishing attack that the suit says ultimately exposed the personal data of “more than 326,000” UConn Health patients. Information exposed in the breach, the case continues, included names, dates of birth, addresses, Social Security numbers, and medical details.
As the lawsuit tells it, the deficiencies in UConn’s data security protocols were so significant that the breach was allowed to continue undetected for months. Though patients were notified of the incident last month, the complaint states UConn Health’s database was first compromised back in August 2018, and the breach was reportedly discovered only on Christmas Eve later that year.
“Intruders, therefore, had months to access, view and steal patient data unabated,” the complaint scathes. “During this time, UCONN failed to recognize its systems had been breached and that intruders were stealing data on hundreds of thousands of current and former patients. Timely action by UCONN would likely have significantly reduced the consequences of the Breach.”