by Emma Contreras
Article filed in

Judge dismisses Brandywine Urology data breach lawsuit

by Emma Contreras

In January of 2020, Brandywine Urology Consultants, a private practice that specializes in the treatment of urological conditions, discovered a large-scale ransomware attack on its network. 

The hackers targeted Brandywine Urology’s network using malicious software (malware) designed to hold its computer system hostage. As a consequence, over 131,000 patients’ protected health information (PHI) was put at risk. This breach had the potential to affect data such as names, addresses, Social Security numbers, medical file numbers, financial data, and other sensitive pieces of personal information. 

SEE ALSO: Global Surges in Ransomware Attacks in Q3 2020

What happened

The Delaware-based practice discovered the system intrusion on January 27, 2020—two days after the attack occurred. Once Brandywine Urology’s IT team was able to stop and isolate the attack, they performed a scan to ensure the malware was completely removed from the system. 

Fortunately, Brandywine Urology was able to avoid paying the ransom and confirmed that the hackers did not gain access to the practice’s electronic medical record system. However, despite this, the data breach still put thousands of patients at great personal risk.

SEE ALSO: Is a Name PHI? 

As part of its response to the attack, Brandywine Urology retained an external cybersecurity firm to investigate the source of the attack. The firm determined that the attackers were not seeking to steal data but instead intended to encrypt data in order to extract a ransom. 

Brandywine Urology notified its patients of the data breach two months after the attack occurred and stated that although personal and financial data may have been breached, it was unlikely. 

Ransomware attacks, even ones that were caught early as in the case of Brandywine Urology, have the potential to shut down entire networks, deny access to users, and encrypt critical data all to coerce payment. In recent years, there have been hundreds of millions of ransomware attacks, many of which have been aimed at healthcare organizations. 

SEE ALSO: Coronavirus Cyberattacks: How to Protect Yourself

Lawsuit filed against Brandywine Urology

Patients affected by the data breach filed a lawsuit against Brandywine Urology in May 2020. The lawsuit alleged the following: 

  • Negligence for failure to prevent the ransomware attack
  • Breach of fiduciary duty
  • Imminent risk of future harm
  • Loss of patient privacy
  • Anxiety as a result of PHI theft
  • Failure to receive the benefit of a bargain

Data breach victims also alleged losses stemming from disruption of medical care and a loss of property value in personally identifying information. 

The lawsuit, citing violations of the Delaware Computer Security Breach Act and the Delaware Consumer Fraud Act, sought monetary damages to cover the cost of mitigations and out-of-pocket expenses incurred by the victims as a result of the ransomware attack. 

In response, Brandywine Urology immediately filed a motion to dismiss the lawsuit and claimed the individuals lacked standing to bring the case to federal court. The private practice also claimed that the victims’ claims of economic loss lacked standing due to the notice it provided of a possible data compromise. 

SEE ALSO: Elara Caring Phishing Attack Exposes 100,000 Patients’ Data

Judge dismisses data breach lawsuit

In February 2021, Judge Mary M. Johnston of the Delaware Superior Court granted Brandywine Urology’s motion to dismiss and wrote that the plaintiffs failed to establish the plausibility of future harm. She also stated that there was no evidence that the hackers had actually read or stolen data.

The judge cited a lack of “credible threat;” the plaintiffs lacked standing to sue Brandywine Urology because there was no evidence of actual data misuse. She included in her ruling that the practice’s breach notification was not a concession of plausible or certain threat, but rather an acknowledgment of possible data compromise.

Judge Johnston’s ruling marks the first time a Delaware court has ruled on the issue of whether imminent future harm resulting from a data breach is enough of an injury to qualify for standing. This lawsuit is only one of many to arise from ransomware-related attacks on the healthcare industry. 

Prevent ransomware attacks and future lawsuits with Paubox Email Suite Plus

Although the lawsuit against Brandywine Urology was dismissed, it does not mean that healthcare providers are safe from being sued in the future on similar grounds. While Judge Johnston noted that Brandywine Urology acted swiftly in its attempt to neutralize the attack and responded appropriately, it would be better for the practice and the patients if the attack had never occurred in the first place. 

Unfortunately, attacks like the one Brandywine Urology experienced are only increasing in regularity. 

SEE ALSO: HIPAA Breach Report for April 2021

The type of security breach that affected Brandywine Urology and countless other healthcare providers opens patients up to a severe degree of risk and could also land providers in hot water with HIPAA. Rather than potentially paying thousands of dollars in HIPAA violation fines, healthcare providers can utilize technical safeguards for their email—one of the most vulnerable threat vectors for ransomware attacks. 

Stop ransomware attacks in their tracks with the help of Paubox Email Suite Plus. Our solution enables you to send HIPAA compliant email by default to all recipients, and our inbound email security solutions filter out email spam, viruses, and other threats to keep organization and patient data safe. 

And our patented ExecProtect feature stops display name spoofing emails from reaching the inbox in the first place.

Try Paubox Email Suite for FREE today.