A patient has filed a class-action negligence suit against a network of Brooklyn hospitals whose data systems were breached and medical records exposed during a cyber attack.
Plaintiff Kiya Johnson filed the suit in Brooklyn state Supreme Court after receiving an April 20 letter from One Brooklyn Health acknowledging that an “unauthorized actor” hacked its data operations and “acquired” a “limited” amount of data between July 9 and Nov. 11 of last year, when the breach was discovered.
Defendant One Brooklyn Health oversees Brookdale, Interfaith and Kingsbrook Jewish hospitals — so-called “safety net” facilities because they serve among the poorest and neediest patients in the city and receive tens of millions of dollars in subsidies from the state.
It also runs 60 medical clinics and its board is chaired by Alexander Rovt, a billionaire and mega-donor to Gov. Kathy Hochul.
The OBH letter informed Johnson that her personal information “may have been accessed and acquired without authorization.”
“OBH has no indication that the data affected by this incident has been used to commit identity theft, fraud, or other financial harm. However, we are notifying you out of abundance of caution because the information presence in the accessed files included your name and health insurance information, medical billings claim information, medical record number, medical treatment information and prescription information,” the health care provider said in the extraordinary notification five months after the breach.
OBH said it has beefed up its cybersecurity protections and offered to pay credit card monitoring/reporting and fraud protection assistance to patients to help protect against ID theft and other crimes.
“OBH apologizes for any inconvenience this incident may cause you and remains committed to protecting the privacy and security of information its possession,” the letter said.
But Johnson and her lawyers said the efforts by OBH are too little and too little because her and other patients’ information have already been compromised.
The suit seeks class-action status.
“A wide variety of [personal information] was implicated in the breach, including but not limited to: name, date of birth, Social Security numbers, driver’s license and state ID numbers, financial account and payment card information, medical information, and health insurance information,” the suit, filed by lawyer with Shub & Johns and Wittels, McInturff and Pulikovic.
“Plaintiff and Class Members are now at a significantly increased and certainly impending risk of fraud, identity theft, misappropriation of health insurance benefits, intrusion of their health privacy, and similar forms of criminal mischief, risk which may last for the rest of their lives.”
The class action suit seeks an unspecified amount of damages after accusing OBH of negligence, breach of fiduciary duty, breach of confidence, breach of implied contract, unjust enrichment, and violating consumer protection and other business laws in New York State.
It comes amid other cyber hacks, including a virtual Brooklyn community board meeting hijacked by a masturbating creep Wednesday night.
OBH and all other medical providers are required to protect patients’ information and records under the federal Health Insurance Portability and Accountability Act.
The healthcare sector suffered at least 337 breaches in the first half of 2022 alone, according to Fortified Health Security’s mid-year report released in July 2022, cited in the suit.
Pro-Russia hacktivist group, KillNet, also has actively targeted the US healthcare sector since December 2022, the US Department of Health & Human Services recently reported.
The rate of identity theft complaints has skyrocketed along with cyber attacks and breaches, jumping from 2.9 million victims in 2017 to 5.7 million people in 2021.
“Plaintiff and Class Members would not have obtained medical services from OBH, or paid the amount they did to receive such, had they known that OBH would negligently fail to adequately protect their [personal information]. Indeed, Plaintiff paid for medical services with the expectation that OBH would keep their [records] secure and inaccessible from unauthorized parties,” the suit said.
“As a result of Defendant’s failures, Plaintiff and Class Members are also at substantial and certainly impending increased risk of suffering identity theft and fraud or misuse of [personal information].
OBH CEO LaRay Brown had no immediate comment.