LifeBridge Health faces class-action lawsuit stemming from massive cyberbreach in 2016
Firm said hackers had access for extended period because LifeBridge did not properly protect its servers and patient information.
Law firm Murphy, Falcon & Murphy has filed a statewide class action lawsuit against Baltimore provider LifeBridge Health on behalf of more than 530,000 consumers whose personal information including Social Security numbers, birth dates, names, addresses, health insurance information, client treatment information, and medical diagnoses were stolen.
The data breach occurred on or about September 27, 2016. It was discovered approximately March 28, 18 months later. At the time, LifeBridge sent letters to the affected patients, though they said they had no reason to believe the information had been misused.
WHY IT MATTERS
According to the firm, the hackers had access for an extended period of time and that was made possible because LifeBridge did not properly protect its servers and patient information. Attorneys said LifeBridge's conduct also violated privacy protection statutes including the Maryland Personal Information Protection Act, the Maryland Social Security Number Privacy Act, and the Maryland Consumer Protection Act.
THE TREND
LifeBridge said previously that it discovered the breach on March 18, and that it involved malware that infected the server that hosts LifeBridge Potomac Professional's electronic medical record and LifeBridge Health's patient registration and billing systems.
The system said it investigated, hired a national forensic firm and determined that an unauthorized person accessed the server on September 27, 2016. The compromised information included patients' names, addresses, dates of birth, diagnoses, medications, clinical and treatment information, insurance information, and in some cases, Social Security numbers.
ON THE RECORD
"A healthcare data breach is devastating in a uniquely personal way. In addition to obtaining the victims' valuable and sensitive personally identifiable information, cybercriminals also obtained information regarding these patients' medical histories, diagnoses, and treatments. LifeBridge should have implemented appropriate and adequate technological safeguards to prevent such a massive cyberbreach from occurring, and certainly should have notified its patients immediately after learning of the breach," Hassan Murphy, managing partner at Murphy, Falcon & Murphy said.
LifeBridge said Thursday it had not seen the lawsuit and could not comment. In May, officials commented on measures they had taken. "To help prevent something like this from happening again, LifeBridge has enhanced the complexity of its password requirements and the security of its system."
Twitter: @BethJSanborn
Email the writer: beth.sanborn@himssmedia.com