Class Action Alleges Firm Was 'Negligent' In Protecting Medical Group's Information
This article has been updated.
A proposed class action lawsuit filed against an accounting firm in the wake of a 2019 ransomware incident that allegedly exposed patient information serves as the latest reminder of the security and privacy risks posed by vendors.
In the lawsuit filed on May 27 in the New York state supreme court, lead plaintiff Elmer Keach - a patient of Community Care Physicians, a large multispecialty medical group in update New York - alleges, among other claims, that accounting firm BST & Co. CPAs LLC was "negligent and reckless" in protecting CCP's patient information from "unauthorized intrusions." (See Hacking of Accounting Firm Affects Medical Group).
The class action complaint also alleges that some of the data that was breached as a result of the December 2019 ransomware attack on Albany, N.Y.-based BST has potentially shown up on the publicly accessible website of ransomware gang Maze.
"Despite learning of the ransomware attack on Dec. 7, 2019, notification letters were not sent to affected patients until more than two months later on or around Feb. 14, 2020 - well after the Maze ransomware gang published the private data online for all cyberthieves to access," the lawsuit alleges.
CCP is not named as a defendant or plaintiff in the lawsuit. CCP did not immediately respond to an Information Security Media Group request for comment.
BST declined ISMG's request for additional details about the lawsuit and data security incident, saying it does not comment on pending litigation.
Keach is being represented by New York-based law firm Chaffin Luhana, which did not immediately respond to ISMG's request for comment on the lawsuit.
The lawsuit complaint alleges that the information of 170,000 individuals was impacted in the ransomware incident involving BST's network.
While BST reported the "hacking/IT incident" on Feb. 16 to the Department of Health and Human Services as affecting 170,000 individuals, based on an entry on the HIPAA Breach Reporting Tool website - that report does not reflect whether all the individuals affected are CCP patients. The HHS Office for Civil Rights' breach reporting website lists health data breaches affecting 500 or more individuals.
In a breach notification statement issued in February, BST said the "virus" incident that prevented access to files on its network potentially impacted "data for some of BST's local clients to whom the company provides accounting and tax services," including CCP.
BST's says in the statement that its investigation determined that "certain personal or protected health information for individuals may have been accessed or acquired without authorization, including individuals' names, dates of birth, medical record numbers, medical billing codes, and insurance descriptions."
However, patient medical records and Social Security numbers were not impacted by this incident, BST said in its statement. Still, BST added that it cannot confirm that any individual's personal information was actually accessed or viewed without permission.
The lawsuit against BST alleges that the accounting firm "intentionally, willfully, recklessly, or negligently failed to take adequate and reasonable measures to ensure its data systems were protected against unauthorized intrusions."
Additionally, the suit alleges that BST failed to disclose that it did not have "adequately robust computer systems and security practices" to safeguard patients' private information; failed to take standard and reasonably available steps to prevent the ransomware attack; and failed to provide "prompt and accurate notice" of the attack.
"Any professional services company that receives, stores, or processes PHI must be aware that it is handling sensitive information."
—Steven Teppler, Mandelbaum Salsburg P.C.
"Defendant BST and its employees failed to properly monitor the computer network and systems that housed the private information," the lawsuit alleges.
"Had BST properly monitored its property, it would have discovered the intrusion sooner," the lawsuit alleges. Patients' identities "are now at risk because of [BST's] negligent conduct since the private information that CCP collected and maintained through its agent, BST, is now in the hands of data thieves," the complaint contends.
The plaintiff and class members in their lawsuit against BST are seeking compensatory damages, reimbursement of out-of-pocket costs, improvements to the firm's data security systems, future annual audits, and "adequate credit monitoring services" funded by BST.
Besides negligence, the suit also alleges BST breached of fiduciary duty to protect private information and violated New York state laws pertaining to deceptive business practices.
The lawsuit against BST is certainly not the first involving patient data breaches at firms handling financial related and other business activities for healthcare sector entities.
For instance, more than a dozen class action lawsuits were filed last year by individuals alleging they have been injured by a 2018 cyberattack on American Medical Collection Agency, which impacted the data of more than 20 million patients of at least 20 medical laboratory testing and other healthcare sector organizations.
Breaches like the ones involving BST, AMCA, and similar vendor security incidents spotlight critical issues for healthcare sector clients and those third-parties, experts say.
"Any professional services company that receives, stores, or processes PHI must be aware that it is handling sensitive information," says technology attorney Steven Teppler of the law firm Mandelbaum Salsburg P.C., which is not involved in the case.
"In [the BST] case, taking the allegations at face value, the CPA firm should have been aware [of the risks] because of the nature or the services provided to the healthcare provider, who entrusted at least a portion of its patient's PHI to BST, and taken security measures commensurately appropriate with its status as a business associate" under HIPAA, Teppler says.
Meanwhile, healthcare organizations should take steps to assess the type and amount of data that is being shared in every vendor relationship, says privacy attorney David Holtzman of the cybersecurity, compliance and privacy consultancy CynergisTek.
"Ensure that your organization can justify the necessity for protected health information to be provided to your vendor along with ensuring that it is kept to the minimum necessary for the contractor to perform the function they have been hired to perform," he says.
"Put measures in place to ensure that tracks what data is being created or maintained by your vendor. Make sure there your business partner has a data retention program that aligns with your own and returns or securely disposes of personal information once it is no longer needed or required to be kept."
As for the lawsuit against BST contending that patients are at risk in part due to the Maze ransomware gang alleging posting on its dark web site information stolen in the attack - that could potentially help strengthen plaintiff arguments, Teppler says.
"In my opinion ... it shows that the information is and has been actively marketed, and either has been sold or could be sold at any moment," he says.
"Healthcare information ... presents an elevated potential for harm owing to the uniqueness and permanence of the information. A threat actor could compromise/steal a victim's identity immediately, or 'age' it for a period of time to lull the victim into complacence," he says. "The threat, however, remains imminent."
But attorney Holtzman, who is not involved in the BST case, says the complaint filed in a New York court against the accounting firm "would seem to have a very steep hill to climb to be successful."
For example, the NY SHIELD Act's expanded breach notification requirements that took effect in October 2019 "would require a contractor or vendor that did not own the data to provide notification to the data owner, in a similar manner to how a HIPAA business associate would notify the covered entity of an incident that compromised the confidentiality of PHI," he says.
Also, "NY laws that require breach notification as well as recent new provisions in the SHIELD Act that set tough standards to safeguard personal information from unauthorized access and disclosure expressly do not provide a consumer a private right of action to seek damages in the event of a breach."