Cardiovascular Associates, a clinic in Birmingham, Alabama, is facing a class-action lawsuit for a data exfiltration breach that occurred last month and affected nearly 442,000 individuals. The plaintiffs are seeking injunctive relief, in addition to monetary damages, which includes the implementation of a comprehensive information security program and court-monitored SOC 2 Type 2 attestations for ten years conducted by an independent third-party assessor.
The lawsuit claims that the clinic neglected to safeguard patients’ information, which could lead to identity theft and fraud.
At the same time, the clinic is also accused of failing to comply with Federal Trade Commission guidelines, HIPAA regulations, and industry standards such as the National Institute of Standards and Technology’s Cybersecurity Framework.
The breach, reported to the U.S. Department of Health and Human Services on February 3, was caused by a hacking incident involving a network server.
These hackers may have compromised a wide range of sensitive patient information, including names, birthdates, addresses, Social Security numbers, health insurance information, medical records, billing and claims information, passport and driver’s license numbers, credit card and financial account information.
The lawsuit alleges that the clinic failed to provide a description of the type of data security incident that occurred, including the root cause and vulnerabilities exploited, in its breach notice.
Incidents involving the exfiltration of vast troves of sensitive patient data by hackers are particularly concerning because attackers often use the data for a secondary purpose.
According to regulatory attorney Rachel Rose, this increases the risk of the data being posted on either the dark web or the internet, giving class action members and the government a stronger basis for damages.
Furthermore, lawsuit warns that the ramifications of the clinic’s alleged failure to secure the private information of plaintiff and class members are long-lasting and severe, especially when Social Security numbers are involved, as fraudulent use of that information can continue for years.
