Class action sought by lawsuits in massive Indiana health care data breach
August 07, 2015
by Thomas Dworetzky, Contributing Reporter
A pair of lawsuits in a massive Indiana health care records hacking case is just the latest turmoil for health care providers facing an ongoing onslaught of black-hat thieves targeting the rich lode of EHR data.
The suits, filed in federal court, seek class action status over a digital break-in that exposed the private information of 3.9 million people's data, which was compromised by Medical Informatics Engineering, through its NoMoreClipboard subsidiary, and discovered in May, according to the firm.
The compromised information includes patients' names, Social Security numbers, birth dates and addresses, the Journal Gazette of Fort Wayne reported.
The company contacted the FBI's cyber unit in May and began reaching out to patients in mid-July. It also offered those potentially impacted credit monitoring services.
The data breach hit several health care providers, including: Concentra; Fort Wayne Neurological Center; Franciscan St. Francis Health in Indianapolis; Gynecology Center Inc. in Fort Wayne; Rochester Medical Group; RediMed; Fort Wayne Radiology Association LLC, including Nuvena Vein Center and Dexa Diagnostics; Open View MRI LLC; Breast Diagnostic Center LLC; P.E.T. Imaging Services LLC; and MRI Center-Fort Wayne Radiology Inc., according to MIE.
But to one plaintiff attorney, Richard Shevitz, told ABC's RTV 6 in Indianapolis, "The monitoring needs to go on for many, many years. The dangers and risk of exposure and hacking like this can cause even young children to experience identity theft scenarios when they reach adulthood."
The first lawsuit was filed last week by one patient, James Young. The second was filed Tuesday by Rory Hill, Nicole Hill and Dawn McLaughlin. Both suits seek class action status for all patients whose records where involved in the breach, according to the Fort Wayne Journal-Gazette.
The lawsuits accuse the company of negligence, alleging that Medical Informatics Engineering did not take sufficient action to block the data breach, didn't adhere to industry standards for protecting data, and also neglected to correctly employ systems or security sufficient to provide protections, according to court documents.
"Given the risk involved and the amount of data at issue, MIE's breach of its duties was entirely unreasonable," stated plaintiff attorneys according to the paper.
Eric Jones, co-founder and CEO of Medical Informatics Engineering, confirmed to the Associated Press on Thursday that the company is aware of the two pending lawsuits.
"Our primary focus at this time is on responding to requests for information to those affected and helping them to enroll in credit monitoring and identity protection services," he said.
Underscoring the complexity of a plaintiff winning in such lawsuits, Fred Cate, a cybersecurity expert, noted to Indiana Public Media, “Even if you show some sort of damage like ‘I worry about it now’ or ‘I apprehend that I may be the victim of identity theft,’ how do you quantify that loss?” Cate says. “Right now, most companies are giving one or two or more years of credit monitoring. What more do you want? Will paying $5 to everyone whose information has been breached do anything to make them feel better or get companies to do more? It might. I think the jury is still out on that.”
The suits, filed in federal court, seek class action status over a digital break-in that exposed the private information of 3.9 million people's data, which was compromised by Medical Informatics Engineering, through its NoMoreClipboard subsidiary, and discovered in May, according to the firm.
The compromised information includes patients' names, Social Security numbers, birth dates and addresses, the Journal Gazette of Fort Wayne reported.
The company contacted the FBI's cyber unit in May and began reaching out to patients in mid-July. It also offered those potentially impacted credit monitoring services.
The data breach hit several health care providers, including: Concentra; Fort Wayne Neurological Center; Franciscan St. Francis Health in Indianapolis; Gynecology Center Inc. in Fort Wayne; Rochester Medical Group; RediMed; Fort Wayne Radiology Association LLC, including Nuvena Vein Center and Dexa Diagnostics; Open View MRI LLC; Breast Diagnostic Center LLC; P.E.T. Imaging Services LLC; and MRI Center-Fort Wayne Radiology Inc., according to MIE.
But to one plaintiff attorney, Richard Shevitz, told ABC's RTV 6 in Indianapolis, "The monitoring needs to go on for many, many years. The dangers and risk of exposure and hacking like this can cause even young children to experience identity theft scenarios when they reach adulthood."
The first lawsuit was filed last week by one patient, James Young. The second was filed Tuesday by Rory Hill, Nicole Hill and Dawn McLaughlin. Both suits seek class action status for all patients whose records where involved in the breach, according to the Fort Wayne Journal-Gazette.
The lawsuits accuse the company of negligence, alleging that Medical Informatics Engineering did not take sufficient action to block the data breach, didn't adhere to industry standards for protecting data, and also neglected to correctly employ systems or security sufficient to provide protections, according to court documents.
"Given the risk involved and the amount of data at issue, MIE's breach of its duties was entirely unreasonable," stated plaintiff attorneys according to the paper.
Eric Jones, co-founder and CEO of Medical Informatics Engineering, confirmed to the Associated Press on Thursday that the company is aware of the two pending lawsuits.
"Our primary focus at this time is on responding to requests for information to those affected and helping them to enroll in credit monitoring and identity protection services," he said.
Underscoring the complexity of a plaintiff winning in such lawsuits, Fred Cate, a cybersecurity expert, noted to Indiana Public Media, “Even if you show some sort of damage like ‘I worry about it now’ or ‘I apprehend that I may be the victim of identity theft,’ how do you quantify that loss?” Cate says. “Right now, most companies are giving one or two or more years of credit monitoring. What more do you want? Will paying $5 to everyone whose information has been breached do anything to make them feel better or get companies to do more? It might. I think the jury is still out on that.”