Class action lawsuit seeks to send message about the importance of safeguarding data

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.securityinfowatch.com/article/11748224/law-firms-file-class-action-lawsuit-against-community-health-systems-over-massive-data-breach

Community Health Systems (CHS), which operates 206 hospitals in 29 states
across the U.S., reported earlier this year that it suffered a data breach
that exposed the personal information of 4.5 million patients. In a
statement filed by the company with the Securities and Exchange Commission
in August, the company said it believes the attack occurred in April and
June and was carried out by an “Advanced Persistent Threat” group based in
China. Although the data taken did not include credit card, medical or
clinical information of patients, it did include their names, addresses,
birthdates, phone numbers and Social Security numbers.

Last month, two law firms, Slack & Davis and The Branch Law Firm, filed a
class action lawsuit in New Mexico against CHS, alleging that the
healthcare company was negligent in failing to implement and follow basic
security procedures. As a result, the lawsuit claims that affected patients
face a “substantial increased risk of identity theft, if not actual
identify theft,” and will have to spend a significant amount of time and
money to protect themselves.

Some of the specific allegations in the lawsuit include:

- Defendants (CHS and its’ subsidiary hospitals in New Mexico) stored
plaintiff’s sensitive information in an unprotected, unguarded, unsecured
and/or otherwise unreasonably protected electronic and/or physical location.
- Defendants did not adequately encrypt, if at all, plaintiff’s sensitive
information.
- Defendants did not provide adequate security measures to protect
plaintiff’s sensitive information.
- Defendants have taken no action to promptly notify their patents that
were affected by the breach.
- Defendants failure to notify its patients of this data breach in a
reasonable time caused plaintiff to remain ignorant of the breach and
therefore unable to take action to protect herself (Briana Brito, the
plaintiff who represents the class) from harm.

Paula Knippa, an attorney with Slack & Davis, said that they have spoken
with more than 100 other New Mexico residents who are members of the
affected class and that they have also been contacted by patients who were
treated at CHS facilities in 16 other states.

Although she couldn’t speak to the mechanics of how some of the other large
data breaches that have come to light recently were carried out, Knippa
said that in the case of CHS, they used a test server loaded with password
information that would allow that test server to access the company’s
entire database.

“They didn’t put in or install security features that would protect the
test server from hackers and the reason that they didn’t do that is they
thought: ‘This will never be connected to the Internet, it’s only a test
server,’” explained Knippa. “What happened was it did get connected to
Internet. Somebody at the front-end didn’t tell somebody at the back-end:
‘Hey, don’t use this server again or connect it to the larger system
because it hasn’t been security-proofed.’ It allowed a bug that could have
easily been defended against, the Heartbleed bug, to access the test server
and expose 4.5 million peoples’ information to identify thieves.”

Knippa said that CHS has an obligation under the Health Insurance
Portability and Accountability Act (HIPAA), as well as a patchwork of
legislation by different states, to not only protect patient information
but notify people as soon as possible if a breach is detected, which she
says didn’t happen in this case.

“Obviously, if people aren’t aware, they can’t be put on alert to recognize
fraudulent activity if their identity has been stolen,” said Knippa. “The
kind of information that was stolen – names, address, Social Security
number, driver’s license number – those numbers don’t change. You can
change a password and protect yourself that way, but you can’t change your
driver’s license or Social Security number, and this information is now in
the hands of thieves who can use it years from now.”

The lawsuit seeks damages to help victims of the data breach pay for
ongoing credit monitoring services and insurance in case their identities
are stolen. Knippa said that this protection is going to have to last
longer than a year because the information obtained by the thieves can be
exploited for years. Additionally, Knippa said that there are also monetary
damages associated with the stress and anxiety that come along with this
type of theft that they will ask the court to consider.

Aside from providing monetary relief for affected patients, Knippa said she
hopes this case will send a message to all organizations about the
importance of safeguarding personal information that has been entrusted to
their care.

“That is one of the purposes of a class action - to put the company on
notice and educate the public and really apply public pressure on the
company to improve their cybersecurity measures,” concluded Knippa. “From
all of the literature I’ve been reading and reviewing, the healthcare
industry is really deemed as a slacker in terms of its implementation of
effective cybersecurity measures.”

Calls seeking comment about the lawsuit from CHS were not returned.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!