In 2021, Sea Mar Community Health Centers (SMCHC) faced a data breach. Now, the healthcare provider faces a class-action lawsuit. As a nonprofit, SMCHC treats underserved communities in Washington state. After a cyberattack, covered entities like SMCHC deal with many costs and issues including angry patients and possible lawsuits.
RELATED: The costs of ransomware attacks
Such short-term and long-term problems demonstrate why healthcare organizations must safeguard protected health information (PHI). And why it is imperative to prove HIPAA compliance by using strong cybersecurity features like HIPAA compliant email. Especially as the healthcare industry witnesses an increase in lawsuits along with an increase in data breaches.
The 2021 SMCHC breach
SMCHC discovered a breach in June 2021 after a threat actor posted stolen files on the Marketo dark web leak site.
The organization later determined that the threat actor accessed and copied PHI from its network between December 2020 and March 2021. While SMCHC took immediate steps to secure its network and start an investigation, the Marketo gang had a six-month head start.
SMCHC sent a breach notification letter to affected individuals in October. PHI accessed and exfiltrated included:
|Social Security numbers||Birthdates|
|Health and treatment information||Client numbers|
The healthcare provider also contacted the U.S. Office for Civil Rights, listing the breach as a hacking/IT incident affecting 688,000 individuals. In its October notification, SMCHC stated that “additional data may have been copied.” At the same time, SMCHC added that it was unaware of the data being misused.
The SMCHC lawsuit
On February 16, affected individuals filed a class-action lawsuit in Washington state. This is not the first lawsuit filed against SMCHC regarding this incident.
The plaintiffs accuse SMCHC of negligence and failure to adequately safeguard patient and employee information. In other words, SMCHC did not have proper cybersecurity in place to protect PHI. The lawsuit suggests that SMCHC acted in a “reckless manner” by storing PHI on its network “in a condition vulnerable to cyberattacks.”
Furthermore, the lawsuit alleges that the organization delayed breach notification. Under the HIPAA Breach Notification Rule, breaches with more than 500 affected individuals require notification within 60 days of discovery (or directly after an investigation).
SMCHC sent notification in October 2021, 10 months after the cyberattack and four months after discovery. Reports state that the investigation concluded in August 2021.
The plaintiffs maintain that they suffered injury and ascertainable losses due to the breach. They want compensatory damages, nominal damages, reimbursement of out-of-pocket expenses, and injunctive relief.
Lawsuits against healthcare organizations
Such lawsuits against healthcare organizations occur more and more frequently, likely due to the rise in cyberattacks and stolen PHI. Healthcare providers are not insulated from paying millions of dollars in damages after already costly cyberattacks.
Recent lawsuits include:
|Name||Date served||Date of breach||Type of breach|
|Springhill Medical Center||January 2020||July 2019||Ransomware (possibly led to infant death)|
|Blackbaud (business associate)||Several times in 2020||February to May 2020||Ransomware|
|US Fertility||January 2021||September 2020||Ransomware|
|Bansley and Kiener (business associate)||December 2021||December 2020||Ransomware|
|Broward Health||January 2022||October 2021||Hacking/IT incident|
A judge dismissed a lawsuit against Brandywine Urology in February 2021. And in June 2021, the Supreme Court ruled that data breach victims must demonstrate actual injury and losses. Given this, we see healthcare organizations, such as UF Health Central Florida, successfully stop lawsuits while others, like Anthem, settle.
What these cases demonstrate is that a lawsuit could happen to anyone after a HIPAA violation and/or PHI exposure.
Cybersecurity, cybersecurity, cybersecurity
Data breach lawsuits all claim that breaches occur because of inadequate cybersecurity measures. So why do healthcare organizations expose themselves to lawsuits when they could be proactive?
As cyberattacks become more common, healthcare organizations must do better with their cybersecurity. For one thing, covered entities must review and update their current privacy and security policies and procedures.
Along with this, they should provide regular and up-to-date employee awareness training. Necessary technical safeguards to block breaches include:
- Access controls such as password management
- Offline backup
- Data encryption
- Endpoint security
- Email security (i.e., HIPAA compliant email)
Finally, it is important to ensure that business associates also employ strong cybersecurity measures. Healthcare organizations must always sign a business associate agreement and understand what their third-party vendors do to protect PHI.
A data breach is foreseeable, but PHI can remain secure with a proper cybersecurity program. Healthcare organizations can avoid disrupted service, HIPAA violations, and possible lawsuits with a practical approach to cybersecurity.