US Fertility is confronted with a class-action lawsuit in connection with a ransomware attack in September 2020, where the resulting data breach impacted 878,550 people.
US Fertility offers IT systems and administrative, clinical, and business data services. It is one of the biggest vendors of support services to infertility clinics in America. On September 14, 2020, US Fertility identified ransomware that encrypted files on its systems. The investigation showed that the threat actors responsible for the attack copied files from August 12 to September 14, 2020, a few of which included protected health information (PHI).
The types of information acquired by the attackers included names, birth dates, addresses, passport numbers, driver’s license and state ID numbers, health treatment/diagnosis data, medical record data, medical insurance and claims details, credit and debit card details, and financial account data.
The class-action lawsuit, filed by Plaintiffs Alec and Marla Vinsant, states US Fertility was unable to put in place enough data security measures that caused them to experience permanent harm and put them at a greater danger of identity theft and fraud.
The hurt endured by the breach victims that the lawsuit wants to deal with involves the theft of personal information and its visibility to cybercriminals, unauthorized credit/debit card charges, costs connected with the detection and prohibition of identity theft and unauthorized usage of financial accounts, damages caused by suspended accounts or made unusable, incapability to withdraw money, costs and time connected with handling the breach and avoiding potential negative effects, and impending injury from prospective fraud and identity theft resulting from the sale of personal data on the dark web.
Class action lawsuits frequently claim harm, though in a lot of cases the lawsuits fall short as the plaintiffs cannot give proof of injuries or losses suffered as a direct consequence of the data breach. This is the case with the recommended class action lawsuit versus Brandywine Urology, which was lately terminated by the Delaware Superior Court. Regardless if the lawsuit is successful is likely to hinge to a big part on whether the plaintiffs could present enough proof that they have experienced actual harm caused by the ransomware attack and information breach.
Plaintiff Alec Vinsant claims somebody made use of his Social Security number to fraudulently claim unemployment benefits in Nevada a month after the data breach happened and plaintiff Marla Vinsant stated her credit score suddenly fell by 50 points right after the attack.
The lawsuit claims US Fertility was notified that ransomware gangs are targeting the healthcare sector and knew the necessity of encrypting data, yet was unable to do so. US Fertility did not abide by Federal Trade Commission specifications for data security. The lawsuit claims breach of implied contract, negligence, unjust enrichment, and breach of the Nevada Deceptive Trade Practices Act.
The lawsuit wants class-action standing, a jury trial, compensation for plaintiffs and class members, repayment of out-of-pocket expenditures and legal fees, and other relief. The lawsuit furthermore necessitates US Fertility to employ proper data security guidelines and practices such as encryption of sensitive information, removal or disposal of class members PII, right network segmentation, penetration tests, to give the entire workforce more security awareness training, and to undertake third-party security evaluation, database scanning, and firewall testing.