People have taken legal action because of the impact of the recent data breaches that happened at Blackbaud and BJC Healthcare resulting in the disclosure and theft of their private data and protected health information (PHI).
A Number of Lawsuits Filed in Relation to the Blackbaud Ransomware Attack
The Blackbaud data breach is one of the major breaches of healthcare data reported. How many healthcare entities impacted is uncertain at this time since each affected entity is filing breach reports independently. As the end date for reporting comes, the scope of the breach is growing to be clearer. At the moment, no less than 5 million people are verified to have been affected and about 60 healthcare providers have verified being impacted by the data breach.
With usual ransomware attacks, the attackers exfiltrate information prior to deploying the ransomware. Blackbaud paid the ransom to acquire the keys for data decryption and to make certain that all stolen records were forever deleted. Blackbaud has obtained guarantees of the deleted stolen data, nevertheless due to the breach, persons whose information was stolen still had to take action to safeguard their identities and many have borne out-of-pocket costs resulting from the breach.
At this time, approximately 10 lawsuits were filed versus Blackbaud and want class action status. The lawsuits allege invasion of privacy, breach of contract, and violations of several state rules.
Blackbaud might have acquired assurances that stolen data were erased, nonetheless the hackers might still have made a copy of the data. In accordance with one lawsuit submitted in California federal court, Blackbaud could not reasonably state that the attackers destroyed the subset copy merely because it settled the ransom and the data thieves said the copy was erased. Blackbaud replied to the allegations in the legal cases that they are with no merit.
BJC Healthcare Confronted With Class Action Lawsuit Due to Phishing Attack
A lawsuit was been filed in the St. Louis Circuit Court becasue of a phishing attack on BJC Healthcare in March 2020. The breach potentially exposed the personal data and PHI of 287,876 people and impacted 19 hospitals connected with BJC Healthcare.
The attackers accessed the email accounts of tree employees who responded to the phishing emails and divulged their credentials. BJC Healthcare states that the breach was identified on the same day. However, it could not ascertain if the attackers accessed or stole any information in the email accounts.
Attorney Jack Garvey filed a lawsuit on behalf of BJC patient Brian Lee Bauer alleging that BJC negligent in protecting patient privacy. The legal action claims the health system was unable to employ and adhere to basic security processes so that hackers were able to access the PHI of its patients. The lawsuit claims BJC was unable to encrypt – or didn’t adequately encrypt – patient information and that it was unable to satisfy its data security responsibilities as per the HIPAA and the HITECH Act.
According to the lawsuit, breach victims are confronted with a greater risk of identity theft and fraud and could be in danger of suffering a few or additional direct setbacks. Because of the breach, patients have sustained substantial out-of-pocket expenses associated with the prevention, identification, restoration, and mitigation from identity theft and fraudulence. The breach also placed a considerable emotional and physical impact on the affected persons.