CURRENT MONTH (September 2024)
Healthcare Data Breach Complaint Survives Motion to Dismiss
By Alan S. Wernick, Esq., Wernick & Associates, LTD.
Healthcare data breaches, in addition to impacting patient safety, typically top the list of data breaches most expensive to an industry.[1] In Cahill v. Memorial Heart Institute, the U.S. District Court for the Eastern District of Tennessee considered a motion by Defendant, a healthcare provider, to dismiss Plaintiffs’ complaint arising from a data breach at Defendant’s healthcare operations.[2] In its September 26, 2024, memorandum opinion, the Court denied Defendant’s motion to dismiss concerning Plaintiffs’ claims of negligence and breach of implied contract, and dismissed Plaintiffs’ other claims.
According to the alleged facts, “[o]n or before April 17, 2023, cyberthieves gained unauthorized access to Defendant’s information technology network. . . . [T]he criminal third parties accessed and exfiltrated private health and personal information (collectively ‘PII’), including social security numbers, of Plaintiffs and other current and former patients. Although Defendant discovered on May 31, 2023, that the cyberthieves had accessed 170,450 individuals’ private information in the data breach, Defendant did not notify the individuals identified as affected until July 28, 2023. More than two months later, Defendant disclosed that 411,000 people had been affected by the data breach, most of which were first notified on October 6, 2023.” This delayed notification was one of the factors the Court pointed to in not granting Defendant’s motion to dismiss Plaintiffs’ claims.
The Court also noted that Plaintiffs alleged that subsequent to the data breach, the cybercrime group “Karakurt” publicly claimed the responsibility for the cyberattack.[3] Plaintiff further alleged that the “group exploits vulnerabilities or weak credentials of the computer network. . . . Although Karakurt’s primary extortion leverage is a promise to delete stolen data and keep the incident confidential, some victims reported Karakurt actors did not maintain the confidentiality of victim information after a ransom was paid.”
The bottom line is that cyberattacks have become increasingly common. The timeliness of notifying those affected can be a significant issue to be considered in light of the facts and applicable law(s) and regulation(s). Businesses that proactively consider their cyberthreat landscape and take preventive actions are more likely to save money in the long run, be more cybersecure, and more quickly mitigate the threat when a cybersecurity incidence is discovered. As Ben Franklin is quoted as saying, “An ounce of prevention is worth a pound of cure.”
© 2024 Alan S. Wernick
[1] IBM and Ponemon Institute, Cost of a Data Breach Report 2024, IBM (last visited Sept. 30, 2024). The report notes, “The average cost for healthcare [data breaches] fell 10.6%, to USD 9.77 million. But that factor wasn’t enough to remove it from the top costliest industry for breaches—a spot it’s held since 2011. Healthcare remains a target for attackers since the industry often suffers from existing technologies and is highly vulnerable to disruption, which can put patient safety at stake.”
[2] The Chattanooga Heart Institute Notice of Data Security Incident, Chattanooga Heart Inst. (last visited Sept. 30, 2024.
[3] The Chattanooga Heart Institute to notify 170,450 about March “data security incident,” DataBreaches.Net (July 29, 2023).