International Trade Today is a Warren News publication.
'Unusual Activity and Ransomware'

Healthcare Firm Data Breach Affected 877K Customers, Says Class Action

A data breach at healthcare company Wright & Filippis (W&F) resulted in unauthorized access to highly sensitive patient and employee data for at least 877,584 individuals, alleged a class action (docket 2:22-cv-12961) Wednesday in U.S. District Court for Eastern Michigan in Detroit.

Sign up for a free preview to unlock the rest of this article

If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.

Private civil litigation arising from a major data breach is “now a probability, not a possibility,” warned the Quinn Emanuel law firm in a recent analysis (see 2210170002). It counted 36 major data breach class actions filed in 2021, a 44% increase from 2020, it said: “Private plaintiffs typically race to the courthouse to jockey for position, with complaints now brought on average within four weeks of a breach announcement.”

Plaintiff Scott Hamilton received a notice letter from W&F dated Nov. 18, saying the company became aware on or about May 2 of “unusual activity and ransomware” in its computer system, said the complaint.

The W&F investigation showed files on the company’s network were accessed by unauthorized users Jan. 26-Jan. 28 and “hundreds of thousands” of class members suffered “ascertainable losses” in the form of out-of-pocket expenses, time incurred to remedy or mitigate effects of the attack, emotional distress and the “imminent risk of future harm caused by the compromise of their sensitive personal information,” it said. Comprised data included names, dates of birth, Social Security numbers, financial and health insurance information and driver’s license information, it said.

Hamilton alleges W&F failed to provide timely and adequate notice to victims that their private information had been subject to unauthorized access by an unknown third party or to identify the specific information accessed. The company maintained customers’ private information “in a negligent and/or reckless manner,” the complaint said. Healthcare providers and partners are particularly vulnerable to cyberattacks because of the value of the data they collect, said the complaint.

W&F failed to meet the minimum standards of existing and applicable industry standards and failed to comply with accepted standards, said the plaintiff, "thereby opening the door to the cyber incident and causing the data breach."

The plaintiff seeks compensatory damages, treble and punitive damages, reimbursement of out-of-pocket costs and injunctive relief, including improvements to W&F’s data security systems, future audits and adequate credit monitoring services.

The company worked to identify any private information that may have been “subject to unauthorized access or acquisition” as a result of the breach and identify the individuals related to the information, said a notice on its website. “This process was time-sensitive, but ultimately necessary to properly identify potentially affected individuals,” it said.

Since the data breach, W&F implemented “a series of cybersecurity enhancements,” it said, including additional endpoint detection and response software, resetting all passwords and rebuilding affected servers, it said. W&F is offering identity theft protection services through IDX, which include 12 months of credit monitoring, a $1 million insurance reimbursement policy and “fully managed” ID theft recovery services, it said. The company said Thursday it is unable to discuss pending litigation.