Patients Sue Wilmington Surgical For Netwalker Ransomware Data Leak

A lawsuit has been filed by patients impacted by a Netwalker ransomware attack on Wilmington Surgical Associates and the subsequent leak of 13GB of data in October.

A lawsuit has been filed against Wilmington Surgical Associates in response to a ransomware attack in October. Allegedly, the Netwalker hacking group stole a trove of 13GB of data from the North Carolina provider and leaked the sensitive information online ahead of the encryption payload.

The filing, Jewett et al. v. Wilmington Surgical Associates, was recently removed to the North Carolina Eastern District Court.

Patients are seeking “redress for its unlawful conduct, and asserting claims for: negligence; negligence per se; invasion of privacy; breach of implied contract and fiduciary duty; and violation of the [State’s] Unfair and Deceptive Trade Practices Act…” 

The suit stems from an October data leak by the Netwalker ransomware hackers. At the time, the group posted proofs of the data theft, including thousands of files and hundreds of folders allegedly taken from the provider.

Those files were titled “2019 Photos”, “AdminScans”, “Dr Pictures”, “FORMS”, “Ins.Scan”, “Medicare Incentives”, “Vascular Lab”, and others file names that appeared highly sensitive in nature.

A lot of 1.79GB of data contained 3,702 files and 201 folders, which appeared to be a massive amount of employment information. The hackers also appeared to have taken a stockpile of financial and “year end” files.

According to the lawsuit, a breach notification was sent to 114,834 patients just before Christmas 2020. The provider disclosed that the hackers broke into two servers used for administrative purposes, which resulted in the theft of Social Security numbers, insurance details, and protected health information, among other sensitive data.

The patients impacted by the incident allege the cyberattack exposed their sensitive personal data, which is now in the hands of the attackers. They further argue that those impacted have “suffered ascertainable losses in the form of out-of-pocket expenses” and time spent remediating the effects of the ransomware attack.

The lawsuit argues Wilmington Surgical inadequately safeguarded the PHI and personally identifiable information in its possession, as well as failing to provide timely and adequate notice of the data hack and the type of information accessed during the incident.

The patients also claim the provider maintained the data “in a reckless and negligent manner” and that the provider and its workforce failed to properly monitor its network, system, and servers, which would have allowed them to discover the intrusion in a more timely manner.

“The PII and PHI were maintained on [the provider’s] computer network in a condition vulnerable to cyberattacks,” according to the suit. “The mechanism of the cyberattack and potential for improper disclosure of [patients’] PII and PHI was a known risk... as a healthcare provider.” 

“Additionally, in the notice sent to [patients], [Wilmington Surgical] acknowledged that ‘hackers have significantly increased their targeting of medical practices and hospitals,” it added. “Thus, [the provider] was on notice that failing to take steps necessary to secure the PII and PHI from those risks left that property in a dangerous condition.”

As a result of the breach, the patients claim their identities are at risk as the stolen data can be used to open new financial accounts and obtain loans. The stolen data can also be used for further phishing attacks, among a host of other privacy risks.

Those risks will continue indefinitely for those impacted by the event, including fraudulent charges applied to their personal accounts, financial losses incurred by using credit monitoring and fraud alert services, and the loss of time needed to prevent and mitigate risks directly tied to the incident.

These risks may also cause further damages, such as lowered credit scores and higher interest rates.

The lawsuit seeks compensatory damages, reimbursement of out-of-pocket expenses, restitution, and injunctive relief. The patients also want the court to require Wilmington Surgical  to improve its data security systems, as well as adhere to annual auditing and adequate credit monitoring services to be paid by the provider.

The filing joins a host of other healthcare data breach lawsuits filed in the last several months. Most of these lawsuits are settled out of court, which means the results can drastically vary. Some are dismissed for failing to adequately show actual harm occurred, while others are quietly settled for both small amounts and hefty price tags.

Next Steps

Dig Deeper on HIPAA compliance and regulation