Class Action Lawsuit Versus Elekta Because of Ransomware Attack and PHI Breach

One of Northwestern Memorial HealthCare’s (NMHC) former patient filed a lawsuit against Elekta Inc. concerning its ransomware attack and data breach in April 2021.

Numerous U.S. healthcare companies are business associates with Elekta, a Swedish company providing radiation medical therapies and associated equipment data services. Cybercriminals attacked Elekta’s web-based system that is employed to hold and send healthcare information and got access to the platform between April 2 and April 20, 2021. The breach was noticed when the hackers released the ransomware.

Elekta claimed the attack as having an effect on a small number of its cloud users in the United States, such as NMHC. The complete oncology NMHC database was affected in the ransomware attack. The database stored the protected health information (PHI) of 201,197 cancer people which include names, Social Security numbers, birth dates, and healthcare records. Altogether, the attack affected 170 of Elekta’s healthcare customers.

The lawsuit was submitted in the U. S. District Court for the Northern District of Georgia for Deborah Harrington and other people also impacted by the attack. The lawsuit claims the disclosure of PHI was avoidable, with the data breach occurring because of Elekta’s inability to utilize enough cybersecurity guidelines and procedures. Subsequently, attackers were able to acquire access to its system and steal the sensitive files of patients.

The lawsuit states Elekta was negligent and was unable to honor its obligations to retain enough data security solutions to lessen the threat of security breaches, effectively safeguard PHI on its network, and appropriately check its data security solutions for active infiltrations. It is furthermore supposed that Elekta failed to make certain agents, personnel, and others having access to sensitive files utilized good security measures.

The lawsuit says Harrington and the class members have encountered damages and real injury as a direct consequence of the cyberattack and they currently face more probability of identity theft and fraud and ought to set more security actions to defend themselves against problems.

The claimed harm sustained by Harrington and the class members comprises forthcoming risk of future identity theft, time and dollars used up to minimize the risk of identity theft, decreased value of personal data, and privacy violation.

The lawsuit wants damages, repayment of out-of-pocket expenditures, legal fees, injunctive relief, and more relief as judged acceptable by the courts.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at