The protected health information (PHI) of an Eskenazi Health patient was stolen in a ransomware attack last August 2021. The patient is now suing the healthcare company in relation to the data breach.
It is now usual for ransomware groups to exfiltrate sensitive information before utilizing ransomware for file encryption. The stolen information is utilized to threaten victims to pay the ransom, as what happened in the ransomware attack at Eskenazi Health. Eskenazi Health based in Indianapolis, IN learned about the attack in early August and quickly de-activated its computer systems in order to block further unauthorized access and control the attack. The healthcare company made the decision to reroute ambulances and call off a number of appointments as a security measure while its electronic medical record system was not available.
According to the data breach investigation, Eskenazi Health’s computer systems were first breached in May and the attackers exfiltrated files containing sensitive patient information. The sending of notification letters to affected patients started at the start of November. Patients were told about the data theft and were provided complimentary identity theft protection and credit monitoring services. While issuing notifications, there were no reports regarding the misuse of patient data, though some patient information was posted on the group’s data leak site. The breach report submitted to the HHS’ Office for Civil Rights at the beginning of October shows the breach impacted 1,515,918 patients.
Eskenazi Health stated the stolen data concerned employees, healthcare providers, patients, former patients, and vendors and impacted names, addresses, telephone numbers, email addresses, birth dates, patient account numbers, medical record numbers, diagnoses, clinical data, doctors’ names, insurance details, prescriptions, driver’s license numbers, passport numbers, face photos, credit card information, and Social Security numbers.
Terri Ruehl Young, the Eskenazi Health patient, was one of the people impacted by the security breach. As per the lawsuit, Young claims a fake charge of $370 was put on the credit card she used for paying her treatment and her Equifax credit report showed there was an attempt to modify her name.
The lawsuit claims patients trusted in Eskenazi Health to protect its systems and patient information, however, the healthcare organization betrayed that trust by failing to employ state-of-the-art security practices and appropriate security measures to safeguard patient data. The lawsuit states negligence, unjust enrichment, and breach of contract.
The lawsuit additionally mentions the period of time it took Eskenazi Health to inform patients concerning the security breach. The lawsuit states that breach notification letters were mailed more than 6 months after the first systems breach, and 3 months after the discovery of the breach by Exkenaki Health. The HIPAA Breach Notification Rule demands the issuance of notifications within 60 days after finding out about the data breach.
Cohen and Malad and John Steinkamp & Associates filed the lawsuit seeking class-action status and a jury trial. An Eskenazi Health spokesperson mentioned the lawsuit is not yet formally served.