Breach Class Action – for Failure to Protect

The stakes in getting breached are definitely increasing.

Historically, victims of a breach have sued the breached company claiming some potential future, but vague, damages. Often the suits get thrown out saying that these potential future damages are not sufficiently real.

Independent Living Systems is a VENDOR to healthcare providers in Florida. They were breached last July and last September they filed a “placeholder” notification with Health and Human Services claiming 501 potential victims. 500 is the threshold for filing, so doing that sort of put them in compliance with the notification rule. Sort of.

Now they are claiming that the 501 is really 4.2 million. That is a bit of a jump.

By saying last year that it was only 500, none of the law firms were interested. Now they are.

The reason the number of victims is so high is that they are an IT service provider to many, many health care providers. If the vendor gets hacked, likely every one of their customers gets hacked. In this case that adds up to 4.2 million.

It also likely means that a lot of their CUSTOMERS – the health care providers – are going to get sued as well. You can outsource the task, but not the liability.

With this breach five proposed class action lawsuits were filed last week.

But here is the difference.

Independent Living (ILS) is accused of storing patient data in a reckless and negligent manner, failing to provide adequate notice, maintaining patient data on a “system and network in a condition vulnerable to cyberattack” and failure to “take necessary” steps to secure private data from risks.

Patient data “was compromised due to ILS’ negligent and/or careless acts and omissions and the failure to protect” private information, according to the filing.

For healthcare providers, this is a growing trend. Massive breaches followed by massive lawsuits.

According to ILS, they detected an “incident involving the inaccessibility of certain computer systems” on July 5, 2022, with the actor dwelling on the system for nearly a week. The access allowed the threat actor to exfiltrate some data, while other information was accessible to the attacker or potentially viewed. 4.2 million victims certainly qualifies as “some data”.

The suits suggest the patients are at “substantial and imminent risk of identity theft or fraud.” The breach notification does not show that they are offering credit monitoring or identity theft services.

ILS is accused of failing to adequately protect patient data, using inadequate security practices, and failing to “effectively secure hardware” or use effective security procedures free of vulnerabilities and incidents.”

One lawsuit says that ILS failed “to follow applicable, required, and appropriate protocols, policies, and procedures regarding the encryption of data, even for internal use.” The provider’s “conduct amounts to negligence and violates federal and state statutes.”

The message here is that if you don’t have robust cybersecurity practices and you have a breach, you may get sued just because your security practices are not robust enough.

The lawsuits are no longer just saying that the stolen data might be used against the victims; they are saying that the companies were negligent, and by association, THAT LIKELY MEANS THAT THE EXECUTIVE TEAM AND THE DIRECTORS OF THESE ORGANIZATIONS WERE NEGLIGENT AND POTENTIALLY PERSONALLY LIABLE. If it is shown that directors and officers were negligent, the D&O insurance carrier will likely decline to pay and also may cancel the policy. Likewise, cyber breach insurance may also refused to pay. That means the company may be on its own.

While we are talking healthcare here, this legal tactic is not limited to healthcare and if it works, it will become part of the standard playbook for class action attorneys. If you do not have a ROBUST vendor cyber risk management system – and that is different from the old vendor risk management that you used to do, contact us.

Credit: SC Media

by