The Texas-based hospital is facing a class-action suit for negligence.
What happened
In January 2024, Ernest Health Rehabilitation Health faced a massive data breach impacting multiple hospitals in Texas, New Mexico, Idaho, Utah, and other states.
According to one of the notices of data breach letters from Trustpoint Rehabilitation Hospital in Lubbock, the hospital first discovered unusual activity on February 1st, 2024. Through an investigation, the hospital determined unauthorized access had occurred between January 16th and February 4th.
The party gained access to the hospital’s IT network, allowing the attackers to access addresses, dates of birth, medical record numbers, health insurance plan member IDs, claims data, diagnosis, and/or prescription information. Certain patients' Social Security and driver’s license numbers were also stolen.
Breach notices were mailed out to patients beginning around March 29th, 2024. Ernest Health is offering credit monitoring and identity-related services to victims.
What’s new
It’s estimated that approximately 94,747 patients were impacted. While Ernest Health has not officially confirmed, the ransomware organization LockBit has claimed responsibility for the attack. The company has threatened to release stolen information. Neither Ernest Health nor LockBit has commented on whether a ransom had been paid. It is generally advised for healthcare companies to not pay ransoms, as they can incentivize future attacks.
Since then, Ernest Health has been hit by a class action lawsuit. Filed in Texas by plaintiffs Joe Lara and Laurie Cook, the suit alleges that the breach occurred because of “insufficient cybersecurity” and that Ernest Health had “no effective means to prevent, detect or stop” the threat.
The lawsuit claims it was unreasonable that the attack was undetected for 16 days, allowing LockBit significant access to steal data. The plaintiffs also allege that Ernest Health waited too long to supply a notice of the data breach.
The suit argues that because of Ernest Health’s negligence, the hospital group was an “easy target” for hackers like LockBit. According to the suit, Ernest Health “failed its duties when its inadequate security practices caused the Data Breach…in other words, Defendant’s negligence is evidenced by its failure to prevent the Data Breach and stop cybercriminals from accessing the [personally identifiable and protected health information]. And thus, Defendant caused widespread injury and monetary damages.”
Why it matters
The case proves the challenges ransomware organizations present. LockBit recently faced an international takedown by law enforcement, yet only days later, their servers were restored and they quickly claimed the attack on Ernest Health.
As noted in the lawsuit, it took over two weeks for Ernest Health to become aware of the breach. In times when data breaches occur daily, it’s necessary that networks are consistently being monitored for nefarious activity. Catching breaches or attempts as soon as they occur can prevent attackers' ability to exfiltrate information.
The big picture
Paubox has covered many cases similar to this. As the case progresses, we predict it will eventually settle. Even without going to court, lawsuits like these can be costly and time-consuming.
Healthcare organizations should do everything possible to prevent attacks like these, including using email security services.
Read more: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
