– Einstein Healthcare Network is facing a class-action lawsuit, following the August 2020 hack of several employee email accounts. The breach victims claim the Pennsylvania-based health system failed to properly secure and safeguard the protected health information of patients.
Einstein notified the public of the compromise in January 2020, nearly six months after the security incident. According to the Department of Health and Human Services breach reporting tool, the email hack compromised the data of 353,616 patients.
An attacker gained access to the accounts for 12 days between August 5 and August 17, 2020. The accounts contained a wide range of patient data, including names, dates of birth, medical record or patient information, and or treatment and clinical data, such as diagnoses, medical information, locations of service, and provider names.
Some patients also saw their Social Security numbers, health insurance information, and or driver’s licenses compromised during the incident. While media reports on the incident did not begin until January, the lawsuit confirmed that Einstein honored the 60-day timeline required by HIPAA and sent letters to patients beginning in October.
The investigation continued during that time, with more patients being notified that their data was included in the breached information between January 21, 2021 and February 8, 2021.
Filed by former patient Nanette Katz, the lawsuit argues that Einstein failed to provide timely, accurate, and adequate notice to patients that their data had been compromised, in addition to failing to comply with industry standards to protect its systems that contained PHI.
Katz was among the patients who received the January breach notice from Einstein, nearly six months after the initial incident.
The lawsuit argues that the notification was “untimely and woefully deficient, failing to provide basic details concerning the data breach, including, but not limited to, why sensitive patient information was stored within employee emails which were clearly stored on systems without adequate security, the deficiencies in the security systems that permitted unauthorized access, whether the stolen data was encrypted or otherwise protected, and whether Einstein knows if the data has not been further disseminated.”
Further, the patients claim their PHI is in the hands of the cybercriminals and that the victims will “forever face a substantial, increased risk of identity theft.” Thus, the affected patients will continue to spend significant time and money to protect themselves from further injury.
The lawsuit also takes issue with Einstein only providing identity protection services to patients whose SSNs were compromised. Notably, the lawsuit contains several spelling errors.
“To date, Einstein has not yet disclosed full details of the data breach,” according to the lawsuit. “Without such disclosure, questions remain as to the full extent of the data breach, the number of patients involved, the actual data accessed and compromised, and what measures, if any, Einstein has taken to secure the PHI still in its possession.”
“Through this litigation, [the patient] seeks to determine the scope of the data breach and the information involved, obtain relief that redresses [Einstein’s] harms, and ensure Einstein has proper measures in place to prevent another breach from occurring in the future.
The victims are asking the court to order Einstein to “fully and accurately disclose the nature of the information that has been compromised and to adopt reasonably sufficient security practices and safeguards to prevent incidents like the disclosure in the future.”
Healthcare breach lawsuits are par for the course under the current threat landscape, with varying results. The majority are settled out of court, such as the most recent settlement with Saint Francis Healthcare, which owns Ferguson Medical Group.
But other courts have stressed the need for breach victims to demonstrate actual harm. For example, a judge dismissed a lawsuit against Brandywine Urology Consultants in February, as the patients failed to provide evidence of injuries or losses caused by the security incident.