Florida Orthopaedic Institute Facing Class Action Lawsuit Over Ransomware Attack

More and more healthcare organizations are facing legal action because of a ransomware attack that resulted in patient data theft. The Florida Orthopedic Institute, a big orthopedic provider in Florida, is one of the most current healthcare companies to encounter a class action lawsuit due to a ransomware attack.

Florida Orthopedic Institute detected the ransomware attack on April 9, 2020 when employees could not access computer systems and information because the files were encrypted. A third-party computer forensics company was hired to investigate and confirmed on May 6, 2020 that patient data may have been accessed and exfiltrated by attackers. The selection of sensitive information possibly compromised were names, birth dates, Social Security numbers, and medical insurance data. Impacted patients received notification regarding the breach on or about June 19, 2020 and received offers of free identity theft and credit monitoring services for one year. During the issuance of notifications, there is no proof found that indicate the misuse of patient data.

Not long ago, lawyer John Yanchunis of Morgan & Morgan filed legal action against Florida Orthopedic Institute located in Hillsborough County, FL. The lawsuit alleges that the healthcare provider did not implement the right safety measures to make sure the privacy of patient information. He stated that surely, cyber criminals got hold of this information and used it maliciously.

The lawsuit claims the healthcare company was lackadaisical, not serious, careless, or negligent with regard to keeping the privacy of its patients and standard cybersecurity guidelines were not observed. Aside from negligence, the legal case alleges intrusion of privacy, breach of implied contract, unjust enrichment, breach of fiduciary duty, and breach of Florida’s Deceptive and Unfair Trade Practices Act.

Although patients were provided free identity theft protection services, Attorney Yanchunis states that one year of identity theft protection services is not sufficient to secure victims, given that impacted persons currently deal with a higher risk of financial problems due to the breach for several years in the future.

The lawsuit wants longer credit monitoring for victims and a minimum of $99 million in damages for the present and past patients.

There is no posting yet about the incident on the HHS’ Office for Civil Rights breach portal, consequently, the number of patients impacted by the attack is presently uncertain. Based on the lawsuit, there are no less than 100,000 patients impacted and possibly over 150,000.

Various recent ransomware attacks have resulted in lawsuits, for example, the attack on BST & Co CPAs LLC and DCH Health System. Grays Harbor Community Hospital just lately recommended a $185,000 settlement to pay for the class action lawsuit submitted on account of a breach victim.