The healthcare provider based in Morristown, VT, Lamoille Health Partners, is dealing with a class action lawsuit because of a ransomware attack in June 2022 that impacted approximately 60,000 patients.
Lamoille Health Partners discovered the attack on June 13, 2022. The investigation into the incident confirmed that attackers acquired access to its system the preceding day. Before encrypting files, the attackers likely viewed or obtained records from its systems containing names, birth dates, addresses, Social Security numbers, medical insurance details, and medical treatment data.
On or about August 11, 2022, the provider sent notification letters to impacted persons and offered free identity protection and credit monitoring services to patients who had their Social Security numbers possibly stolen. Lamoille Health Partners stated the delay in providing notification letters was because of the duration of the investigation to determine which persons were impacted and the types of data affected. The data breach report was sent to the HHS’ Office for Civil Rights indicating that 59,381 patients were affected.
It is now common for healthcare data breaches to be followed by lawsuits being filed by patients whose protected health information (PHI) was compromised. The lawsuit claims Lamoille Health Partners didn’t employ proper safety measures to make sure the privacy of the PHI was kept on its systems, violating the HIPAA Security Rule. Patricia Marshall, the plaintiff, states that Lamoille Health Partners’ negligence means her sensitive data is in the possession of cybercriminals. Together with the class members, she faces an impending and persistent danger of identity theft and fraud.
The legal action likewise claims that the sending of the notification letters to the impacted individuals was unnecessarily delayed, even if the notification letters were delivered within the 60-days allowed by the HIPAA Breach Notification Rule. The lawsuit Marshall versus Lamoille Health Partners Inc. was submitted on September 1, 2022 to the U.S. District Court for the District of Vermont. The plaintiff and class members seek compensatory damages and injunctive relief. Lamoille Health Partners also needs to implement additional safety measures to better secure patient information. Attorney Matthew B. Byrne of Gravel and Shea in Burlington, VT is the plaintiff’s legal representative.