Getty Images

Community Care Patients Sue Accounting Firm Over Data Breach

BST, the accounting firm for Community Care Physicians, was targeted by Maze ransomware in December. One of the 170,000 patients impacted by the breach has sued BST, citing negligence.

A class-action lawsuit has been filed against accounting firm BST and Co. CPAs, over a ransomware attack that breached the data of 170,000 patients from Community Care Physicians in New York, first reported by local news outlet Times Union.

The class-action lawsuit was filed in the New York Supreme Court in Albany at the end of May on behalf Elmer Keach III, a patient of Community Care Physicians. Community Care Physicians is not listed as a defendant in the case.

First reported in February, Maze ransomware hackers attacked the accounting firm’s network in December. The impacted server contained data from some BST’s local clients, including those from Community Care.

The investigation found the attack lasted for three days, from December 4 to December 7, 2019. The compromised data included both financial and patient information, such as names, dates of birth, billing codes, medical record numbers, and the like. BST recovered the impacted data from its backups.

The concern with the BST breach is that the Maze hacking group claimed the attack, posting what they purported were full data records from BST on the dark web for sale. According to the FBI, “From its initial observation, Maze uses multiple methods for intrusion, including the creation of malicious look-a-like cryptocurrency sites and malspam campaigns impersonating government agencies and well-known security vendors.”

The hackers are notorious for stealing data before launching the ransomware payload. Their cyberattack methods prompted other cybercriminals to follow-suit with what’s now being called double extortion and frequently targeting the healthcare sector.

Those concerns are spotlighted in the lawsuit against BST.

"In recent years, the Maze ransomware gang has gained notoriety for 'shaming' victims by exfiltrating and publishing organizations' sensitive data,” the lawsuit argues. "In particular, the Maze ransomware gang has been known to extort businesses by publicly posting breached data on the internet and threatening full dumps of stolen data if the ring's 'customers' don't pay for their files to be unencrypted."

"Despite learning of the ransomware attack on December 7, notification letters were not sent to affected patients until more than two months later on or around Feb. 14, 2020, well after the Maze ransomware gang published the private data online for all cyberthieves to access," it continues.

The lawsuit also takes aim at the credit monitoring offered to the breach victims after the attack, as it “squarely places the burden” on patients to investigate and protect their personal information from potential fraud.

In fact, the suit argues that BST sent instructions on how victims can enroll in credit monitoring services, rather than offering those services.

Further, the lawsuit claims that BST was intentionally negligent and reckless when protecting sensitive data from unauthorized access, failing to employ reasonable and adequate measures to protect its systems. Notably, New York has one of the toughest privacy laws in the country; the lawsuit argues BST violated those laws.

Specifically, BST lacked adequate security practices and computer systems, while failing to implement standard policies and tools to prevent ransomware attacks and employ adequate network monitoring. The breach victims also argue BST did not provide prompt notification that the attack occurred.

The lawsuit claims that had BST properly monitored its systems, it would have been able to detect the breach sooner. The “negligent” conduct has placed patients’ identities at risk of fraud, as their data “is now in the hands of data thieves.”

The breach victims are seeking adequate credit monitoring services and financial compensation for damages incurred by the attack, including reimbursement for out-of-pocket costs. BST would also be required to improve its data security and perform annual auditing of its systems.

This is the second healthcare data breach lawsuit filed against an entity in the last month. Some of the 166,000 victims of a monthlong data breach at Aveanna Healthcare recently sued the Georgia providers, citing a lack of timely notification and inadequate security.

These lawsuits have varying results and typically depend by the definition of actual harm, which can be hard to demonstrate. A host of healthcare provider organizations that have faced similar lawsuits opted to settle with victims, such as Banner Health, Premera Blue Cross, Quest Diagnostics, and others.

Next Steps

Dig Deeper on HIPAA compliance and regulation