New York Accounting Agency Faces Class Action Lawsuit Due to Maze Ransomware Attack

BST & Co. CPAs LLC, a New York accounting agency, encounted a manual ransomware attack in late 2019. Patients who had their protected health information (PHI) stolen as a result of the breach have filed a legal case against the company.

The lawsuit claims that BST & Co. was negligent for its inability to take proper and acceptable steps to avoid the ransomware attack. Further, the firm didn’t issue a timely and accurate notification to patients affected by the breach. The lawsuit additionally claims the company violated its fiduciary duty to secure sensitive patient data and broke state rules associated to deceitful business procedures.

ST & Co. discovered the ransomware attack on December 7, 2019. The attackers used Maze ransomware and exfiltrated an array of information from the firm before file encryption and then threatened that they will publish the information if no ransom was paid. Because no ransom payment was made, the attackers published the sensitive information on its website.

Based on the breach report filed with the Department of Health and Human Services’ Office for Civil Rights, the breach potentially resulted in the compromise of the PHI of 170,000 people, who were mostly Community Care Physicians patients. Although patient information were published on the internet where it was accessible to any person, BST did not send notification letters to patients until February 14, 2020.

On May 27, 2020, the complainants filed the lawsuit in New York’s supreme court and sought class action status. The lawsuit states that BST & Co. deliberately, willfully, recklessly, or negligently did not take sufficient and valid measures to make sure that its data systems were safe against unauthorized attacks and claims it did not have sufficiently robust computer systems and security measures.

The lawsuit additionally claims BST and its employees did appropriately monitor the network, computer system and patient sensitive data. If they had properly addressed that issue, the attack should have been discovered earlier. The lawsuit alleges that because of the company’s failures,  data thieves now have possession of patient information and the identity of patients are at stake.

The lawsuit seeks compensation for damages, refund of out-of-pocket-costs, the provision of enough credit monitoring services, and demands enhancements to be done on the BST’s security systems to avoid other breaches in the future.