A lawsuit has been filed against the Commonwealth Health cardiology group, Great Valley Cardiology (GVC), over a recently disclosed security incident in which hackers gained access to GVC’s computer network and the protected health information (PHI) of 181,764 individuals.

The data breach was discovered on April 13, 2023; however, the forensic investigation confirmed that hackers first gained access to its network 2 months previously on February 2, 2023. The review of the files potentially accessed or stolen confirmed they contained PHI such as names, medical information, Social Security numbers, credit/debit card information, and banking information. Individuals started to be notified about the data breach on June 12, 2023, as time was required to identify all affected individuals and verify contact information to allow notification letters to be mailed. Affected individuals were offered 24 months of complimentary credit monitoring and identity theft protection services.

A lawsuit was filed in Lackawanna County Court by attorney Andrew W. Ferich of the law firm Ahdoot & Wolfson, PC, against Commonwealth Health Physician Network, doing business as Great Valley Cardiology and Scranton Cardiovascular Physician Services LLC on behalf of plaintiff Michele Jarrow and similarly situated individuals who had their PHI compromised in the incident.

The defendants have not detected any misuse of patient information as a result of the breach; however, the lawsuit claims that patient information has been exposed and there is no way to ensure that the exposed information will not be misused. Consequently, the plaintiff and class members will need to spend time and money protecting themselves against fraud and identity theft for many years, and potentially for life. The plaintiff claims that she was informed by her security software that her personal information has been posted on the dark web, making it available to cybercriminals such as identity thieves.

In addition to failing to prevent the data breach, the lawsuit takes issue with the time taken to notify affected individuals that their data has been exposed. Notification letters were issued two months after the breach was detected and four months after the breach occurred, which the lawsuit alleges compounded the potential injury. The lawsuit alleges negligence, breach of fiduciary duty breach of contract, and unjust enrichment and seeks class action status, a jury trial, damages, and attorneys’ fees.

Lawsuits are often filed in response to healthcare data breaches, but Article III standing is often only granted if the plaintiffs can prove they have suffered a concrete injury. Lawsuits that only allege a future risk of injury or harm as a result of a security breach often fail to be granted standing, even if stolen data has been published on the dark web.

The post Great Valley Cardiology Sued over 181,000-Record Data Breach appeared first on HIPAA Journal.