A class action lawsuit has been filed against Pennsylvania-based Keystone Health due to a data breach that occurred in 2022 and affected approximately 235,000 people. On August 19, 2022, Keystone Health learned of a security breach. Subsequent investigation revealed that between July 28 and August 19, a third party had gained access to files on the system. The patient names, clinical data, and Social Security numbers were all contained in the files. Keystone sent letters to those who were impacted and provided credit monitoring services to those who qualified. The plaintiff’s legal team claimed in a lawsuit brought forth soon after patients were made aware of the breach that Keystone Health had neglected to take reasonable security precautions to safeguard sensitive data.
Within the lawsuit, the following is stated: “As a result of this delayed response, Plaintiff and Class Members had no idea their Private Information had been compromised, and that they were, and continue to be, at significant risk of identity theft and various other forms of personal, social, and financial harm,” the suit states…The risk will remain for their respective lifetimes.”
Given the foreseeability of ransomware attacks, the case contends that Keystone Health impeded the rights of their victims in an intention manor. According to the filing, the cybersecurity company Mimecast discovered that 90 percent of healthcare firms would encounter cyberattacks in 2020. The case also details that as Keystone failed to adequately secure or encrypt the sensitive data kept in its system, the healthcare entity has breached its obligations under the Health Insurance Portability and Accountability Act (HIPAA). Additionally, Keystone Health disregarded the Federal Trade Commission’s data security requirements, minimal industry cybersecurity standards, and privacy policy commitments to protect patient data.
Private health information (PHI) that is transferred, saved, or accessed electronically and is referred to as “ePHI” is likewise subject to HIPAA regulatory criteria. The HIPAA Security Rule, an amendment to the HIPAA law passed to take into account advancements in medical technology, governs ePHI. To reduce legal and operational risks, healthcare entities that are liable to the laws of HIPAA are obliged to closely monitor state and federal breach notification laws, document security and privacy policies, and put in place a strong cyber incident response strategy.