Medical practice sued after being hit by cyberattack
Subscriber Benefit
As a subscriber you can listen to articles at work, in the car, or while you work out. Subscribe NowOne of Indiana’s largest ear-nose-and-throat medical practices was hit by a cyberattack in February that potentially compromised the private health information and billing records of more than 316,000 patients and employees.
Now, several victims have filed lawsuits against Otolaryngology Associates, saying the practice waited about six weeks to inform victims of the data breach.
The suits, filed in Marion Superior Court, seek class-action status on behalf of all the victims.
Otolaryngology Associates, based in Carmel, has 13 locations that stretch from Kokomo to Shelbyville, according to its website. The practice did not respond to an email and a phone call from IBJ for comment.
On Feb. 17, Otolaryngology Associates became aware of the criminal cyberattack, according to a notice it sent to victims.
“While the investigation narrowed down which data might have been taken, it could not definitively determine which specific documents in that subset of data may have been taken,” the notice said. “As a result, OA could not rule out the possibility that protected health information and personal information of OA patients and staff may have been compromised during the attack.”
It said that hackers did not gain access to its medical records system. For the vast majority of people, the information involved billing records that included names, medical records numbers, codes related to services provided, the physician’s name, dollar amounts of charges and name of insurance company.
But for some people, the impacted information might have included Social Security number, driver’s license number, address, date of birth, insurance plan numbers and other information.
“We encourage patients and staff to be vigilant in reviewing any types of financial account, insurance statements and credit reports for fraudulent or irregular activity,” the notice said.
The cyberattack was submitted to the U.S. Department of Health and Human Services Office for Civil Right Breach Portal on April 1. It said about 316,802 people were potentially affected.
But for some people who received the notices, the suit says, Otolaryngology Associates did not do enough to protect the sensitive information and took weeks to notify them.
Elizabeth and Larry Wilson, who live in Marion County and were patients of OA, filed a suit claiming that the practice didn’t send out notices until April 1.
“When the data breach was discovered, (OA) ailed to promptly notify victims of the data breach of the types of information that was stolen,” the complaint said.”… The data breach was preventable and directly resulted from OA’s failure to implement adequate and reasonable cyber-security procedures and protocols necessary to protect patients’ personally identifiable information.”
In a separate suit filed by Martha Madison, the practice is accused of “willfully, recklessly or negligently” failing to protect sensitive information. The complaint did not give Madison’s county of residence or say whether she was a patient.
Both suits accuse Otolaryngology Associates of breach of contract, unjust enrichment, negligence and breach of fiduciary duty.
They ask the court to certify the action as a class action, which could combine all the victims’ complaints into one suit.