UF Health Central Florida faces a proposed class action over a May 2021 data breach that reportedly compromised the personal and health information of upward of 700,000 of the healthcare system’s patients.
According to the lawsuit, The Villages Tri-County Medical Center, Inc. and co-defendants Leesburg Regional Medical Center and Central Florida Health have “intentionally, willfully, recklessly, or negligently” failed to implement adequate data security procedures and protocols despite representing that patient information would be kept safe.
The suit contends that patients whose information was compromised in the data breach—in particular names, addresses, dates of birth, Social Security numbers, health insurance information, medical record numbers, patient account numbers and treatment details—now face “a lifetime risk of identity theft” and fraud.
“Until notified of the breach, Plaintiff and Class Members had no idea their [personally identifiable information] and [protected health information] had been compromised, and that they were, and continue to be, at significant risk of identity theft and various other forms of personal, social, and financial harm,” the complaint attests. “The risk will remain for their respective lifetimes.”
The lawsuit alleges the defendants’ conduct “amounts to negligence” and violates federal and state laws.
According to the case, the defendants operate a healthcare system under the name UF Health Central Florida. Per the suit, the system encompasses hospital services at UF Health The Villages Hospital and UF Health Leesburg Hospital in addition to inpatient rehabilitation services at UF Health The Villages Rehabilitation Hospital, inpatient psychiatric services at the UF Health Leesburg Hospital Senior Behavioral Health Center and diagnostic laboratory services at several locations.
The lawsuit alleges that between May 29 and May 31, 2021, an unauthorized individual gained access to the defendants’ network as part of a ransomware attack in which current and former patients’ personal and health information may have been compromised. The suit pins the cause of the breach on the defendants’ alleged failure to employ reasonable cybersecurity procedures and practices appropriate enough to safeguard the sensitive data with which they were entrusted.
According to the case, the defendants ignored recommendations from the U.S. government, U.S. Cybersecurity & Infrastructure Security Agency and Microsoft Threat Protection Intelligence Team for how to properly secure sensitive data, not to mention “repeated warnings and alerts” circulated within the healthcare industry regarding the threat of data breaches.
“Despite the prevalence of public announcements of data breach and data security compromises, UFHCF failed to take appropriate steps to protect the PII [personally identifiable information] and PHI [protected health information] of Plaintiff and the proposed Class from being compromised,” the complaint charges, describing the ramifications of the breach as “long lasting and severe.”
The lawsuit says the defendants’ offer of credit monitoring and identity protection services is “inadequate” to protect victims of the breach given the highly sensitive nature of the compromised information and the threats they face “for years to come.”
The case, which was initially filed on September 3 in Lake County, Florida Circuit Court before being removed to the state’s Middle District Court on October 14, looks to represent anyone whose personally identifiable information or protected health information was accessed or potentially accessed during the cybersecurity event referenced in the notice posted on the defendants’ website.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.