NextGen Healthcare, a provider of electronic health record (EHR) and practice management services, is facing a class action lawsuit because of a ransomware attack in 2023. Hackers got access to the company’s computer systems between March 29, 2023 and April 14, 2023. At that time, they extracted a large amount of sensitive information, including PHI, from NextGen. The data breach report was submitted to the Maine Attorney General on May 5, 2023 indicating that 1,049,375 peoplee were affected. The incident was NextGen’s second ransomware attack after the first attack by Blackcat ransomware in January 2023.
It is not unusual for companies to encounter several ransomware attacks. The latest report from the cybersecurity company Semperis indicates 3/4 of organizations that have encountered a ransomware attack were attacked several times. Threat actors usually use malware in their attacks that enables them to conduct more attacks after a few weeks or months.
More than twelve lawsuits had been filed against NextGen after the data breach. The plaintiffs wanted compensatory, punitive and statutory damages, extra credit monitoring services, and injunctive relief, and demanded NextGen to implement more security procedures to protect the privacy of stored data. The lawsuits were combined into one, the Damon X. Miller v. NextGen Healthcare Inc. lawsuit, that is filed in the U.S. District Court for the Northern District of Georgia.
The combined lawsuit claims NextGen might have avoided the data breach if it had put in place reasonable and proper security steps, yet did not do so, even if it had encountered its first ransomware attack in January 2023. The combined lawsuit stated 25 claims, which include negligence, intrusion upon seclusion, unjust enrichment, breach of implied contract, breach of fiduciary duty, breach of bailment, and violations of multiple state legislation in California, Iowa, Illinois, Georgia, Maine, New Mexico, New Jersey, New York, and Pennsylvania.
NextGen wanted to dismiss 22 of the 25 claims for failing to express a claim. U.S. District Judge Thomas Thrash dismissed most of the claims; but denied the motion to dismiss the five counts, which gives the plaintiffs the ok to continue with the lawsuit. The court also denied the motion to dismiss the counts of breach of fiduciary duty, litigation costs, violation of the California Consumer Privacy Act (CCPA), and violation of the Georgia Uniform Deceptive Trade Practice Act (GUDTPA). The court denied as well the motion to dismiss the count of violation of the California Unfair Competition Law (UCL) about a putative subclass or one of the plaintiffs.
NextGen had contended that being a service provider to healthcare companies, it didn’t owe the plaintiffs a fiduciary duty since it had no direct connection with them and the simple receipt and safe-keeping of confidential information doesn’t make a fiduciary relationship. Judge Thrash disagreed because in certain instances, keeping private data that patients presented while getting health care can mean a fiduciary duty as stated in the Georgia law. In his decision, Judge Thrash didn’t say if the instances in the case went up to that level, since that wasn’t a question that can be fixed using a motion to dismiss.
Judge Thrash decided that the plaintiffs had plausibly mentioned a claim for litigation costs premised on bad faith, and the motion to drop the GUDTPA claim was dismissed since NextGen’s contention depended on reading an unadopted Report and Recommendation. The CCPA allegation was permitted to continue since while NextGen contended that it is a service provider covered by CCPA, the plaintiffs expressed otherwise and Judge Thrash approved those claims as true, during this phase of the litigation. The court denied the motion to dismiss the California Unfair Competition Law, because the defendant claimed to have accepted payment to safely keep information and did not take acceptable security procedures, and that is enough to assert a claim for restitution as covered by UCL.
