Multiple class action lawsuits were filed against Empress EMS, the New York ambulance service, because of a ransomware attack that was discovered on July 14, 2022. The group responsible for the attack was the Hive ransomware group. The modus operandi of the group is it steals sensitive files after getting access to the system and then encrypts the files.
Based on the breach notifications issued by Empress EMS, the ransomware actors stole files with information such as names, birth dates, demographic details, diagnosis and treatment data, dates of service, medical record numbers, insurance details, prescription details, and, the Social Security numbers of a small group of persons. The Hive ransomware group stole the files on July 13, 2022 and published a part of the stolen information on their data leak website. However, the information was immediately removed because Empress EMS paid the ransom to the Hive group, according to databreaches.net.
The breach investigation showed the ransomware group initially obtained access to the system on or about May 26, 2022. Empress EMS sent notification letters to impacted persons on September 9, 2022 and sent the breach report to the HHS’ Office for Civil Rights indicating that up to 318,558 persons were affected. Those who had their Social Security numbers exposed or stolen received free credit monitoring services.
The most recent lawsuit filed in Manhattan Federal court by plaintiff Robert D’Agostini and other individuals, alleges breach of implied contract, negligence for not sufficiently protecting patient information, and New York General Business law violations. The lawsuit additionally alleges HIPAA violation by Empress EMS.
The lawsuit dispute the duration that Empress EMS was able to identify the attack, about 2 months, and the time it took to alert the impacted persons, over 7 weeks. The lawsuit claims Empress EMS unreasonably deferred the issuance of notifications. It must be noted that HIPAA requires covered entities to issue notifications up to 60 days from the time of discovering a data breach, however, it states that notifications must be issued without unreasonable delay.
The lawsuit additionally alleges vital information was not included in the breach notification letters, particularly the role of the Hive ransomware group in the attack. The group is known to steal and leak stolen information to the public. The Hive group professed to steal over 100,000 Social Security numbers, which is noted by the lawsuit as not a small subset of information.
The lawsuit alleges that the plaintiffs’ and class members’ privacy was violated. The hackers got hold of their protected health information (PHI) and publicly leaked it. The attack victims face an impending and continuing risk of fraudulence and identity theft. The lawsuit wants class-action status, actual damages (or $50 per class member, whichever is higher), punitive damages, treble damages, and a jury trial. The lawsuit is one of the 4 complaints that Empress EMS is facing because of the data breach.