OakBend Medical Center and Keystone Health Face Lawsuits Over Data Breaches

OakBend Medical Center Cyberattack

OakBend Medical Center learned about the compromise of its systems and encryption of files on September 1, 2022. The hospital controlled the breach and blocked access to its network. A forensic investigation was carried out to find out the nature and extent of the cyberattack. The forensic investigation reported that the threat actors had extracted files that contain patient information. OakBend Medical Center stated entire healthcare records don’t seem stolen. The stolen information included names, contact details, birth dates, and Social Security numbers. The attackers known as Daixin Team claimed they stole information including 1 million patient documents, though Oakbend Medical Center has not confirmed this yet.

On October 28, 2022, the data breach impacted two patients, Alissa Wojnar and Ryan Higgs. Wojnar and Higgs took legal action because of the theft of their protected health information (PHI). Attorney Joe Kendall of Dallas, TX filed the lawsuit in the District Court for the Southern District of Texas. Allegedly, Oakbend Medical Center kept the private data of patients carelessly and did not appropriately keep track of its IT system. The lawsuit claims negligence, negligence per se, breach of fiduciary duty, breach of implied contract, unjust enrichment, invasion of privacy, and intrusion upon seclusion.

The plaintiffs assert they have sustained the loss of the benefit of their bargain, out-of-pocket expenditures, the value of their time that was spent on remedying and mitigating the impact of the attack, emotional stress, and the impending risk of potential problems due to the exposure of their sensitive personal data. The legal action wants class-action status, repayment of out-of-pocket expenditures, compensatory damages, and injunctive relief that calls for OakBend Medical Center to carry out extra security procedures to better secure patient information and to additionally give enough credit checking services to impacted individuals.

Keystone Health Cyberattack

Keystone Health uncovered the compromise of its network on August 19, 2022. After securing the systems, a forensic investigation was started to find out the extent of the attack. It was established that the attackers got access to its system from July 28, 2022 to August 19, 2022. At that time, the accessible sensitive patient information included names, clinical data, and Social Security numbers. The breach impacted 235,237 individuals, who received notifications on October 14, 2022.

The law agency Milberg Coleman Bryson Phillips Grossman, PLLCA filed the legal action in the District Court for the Middle District of Pennsylvania naming Jacob Whitehead as the plaintiff, for his son, a minor. The lawsuit claims Keystone Health did not appropriately protect and safeguard personally identifiable information (PII), and that the private data of patients were managed in a careless and negligent way that made it susceptible to cyberattacks.

The legal action claims negligence for not implementing minimum industry requirements for securing patient information and states Keystone Health did not satisfy its commitments as per the HIPAA Security Law as suitable safety measures were not applied to safeguard patients’ electronic protected health information (ePHI). The lawsuit additionally claims a breach of the HIPAA Breach Notification Rule for not appropriately notifying patients regarding the data breach.

The lawsuit states the plaintiff and others impacted by the data breach are currently at considerable risk of identity theft and different other types of personal, financial, and social harm. They claim an injury was suffered as they lost or reduced the value of their private data, out-of-pocket expenditures related to the avoidance, identification, and recovery from identity theft, tax scams, and/or unauthorized usage of their private data, lost time and opportunity, and a continuing and considerably higher risk of cyberattacks and fraudulence.

The lawsuit wants class-action status, damages, and equitable and injunctive relief, a jury trial, which includes a need for Keystone Health to make sure it has an efficient and extensive security plan, to go through independent security inspections and penetration tests, to have internal employees run automated security tracking, and to give employees security awareness training at least yearly.