Johns Hopkins Health System faces class action lawsuit over negligence in data breach incident

USA — US-based Johns Hopkins Health System has been entangled in a class action lawsuit following a third-party data breach that was uncovered in May.

The lawsuit, filed in Maryland District Court, alleges that the health system failed to implement adequate safeguards to protect the personal health information and identifiable data of those affected by the breach.

On May 31, Johns Hopkins discovered that it had fallen victim to a vulnerability in a file transfer software, instigated by a Russian-linked ransomware group.

While the exact number of affected individuals remains unknown, the lawsuit estimates that it could potentially reach “tens/hundreds of thousands” of people.

This class action suit comes at a time when hacking incidents targeting healthcare firms are on the rise, as more companies and health systems transition to electronic health records.

According to federal records, from 2010 to 2022, data breaches exposed a staggering 385 million patient records.

Pamela Hunter, a client of the hospital, filed the lawsuit on July 7. It alleges that Johns Hopkins was aware of the “substandard” condition of its information systems and breached its implied covenant of good faith by failing to maintain adequate security protocols.

The data breach at Johns Hopkins was facilitated through a vulnerability in its MOVEit file transfer software.

This breach affected multiple government agencies, including the U.S. Department of Energy, and was attributed to the Russian-linked ransomware group Cl0p

In February, the HHS issued a warning that Cl0p was responsible for breaches at healthcare organizations, including an attack on Tennessee-based Community Health Systems.

Despite Johns Hopkins’ awareness of the data breach in May, the class action suit claims that Hunter did not receive notice or even know that her personal health data was stored by the system until she received a letter dated June 24.

While HIPAA requires hospitals to notify individuals of a data breach “without reasonable delay” and no later than 60 days after its discovery, the lawsuit asserts that the plaintiffs lost valuable time dealing with potential consequences of the breach and were provided with insufficient details regarding the stolen data.

The lawsuit states, “Plaintiff and the Class Members remain, even today, in the dark regarding what data was stolen, the particular malware used, and what steps are being taken to secure their PHI/PII and financial information going forward.”

A report from cyber intelligence firm Black Kite reveals that last year, the healthcare industry was the most common victim of third-party breaches, as hospitals grappled with the aftermath of the COVID-19 pandemic.

Due to the industry’s inadequate cybersecurity protocols and interconnected health information systems, healthcare remains the highest-risk sector for third-party vendor breaches, according to the report.

Adding to the growing list of incidents, HCA Healthcare recently reported a data security breach that potentially impacted over 11 million patients.

For all the latest healthcare industry news from Africa and the World, subscribe to our NEWSLETTER, and YouTube Channel, follow us on Twitter and LinkedIn, and like us on Facebook.