chevron-down Created with Sketch Beta.

Business Law Today

September 2024

September 2024 in Brief: Internet Law & Cybersecurity

Juliet Marie Moringiello

September 2024 in Brief: Internet Law & Cybersecurity
iStock.com/FactoryTh

Jump to:

Healthcare Data Breach Complaint Survives Motion to Dismiss

By Alan S. Wernick, Esq., Wernick & Associates, LTD.

Healthcare data breaches, in addition to impacting patient safety, typically top the list of data breaches most expensive to an industry. In Cahill v. Memorial Heart Institute, the U.S. District Court for the Eastern District of Tennessee considered a motion by Defendant, a healthcare provider, to dismiss Plaintiffs’ complaint arising from a data breach at Defendant’s healthcare operations. In its September 26, 2024, memorandum opinion, the Court denied Defendant’s motion to dismiss concerning Plaintiffs’ claims of negligence and breach of implied contract, and dismissed Plaintiffs’ other claims.

According to the alleged facts, “[o]n or before April 17, 2023, cyberthieves gained unauthorized access to Defendant’s information technology network. . . . [T]he criminal third parties accessed and exfiltrated private health and personal information (collectively ‘PII’), including social security numbers, of Plaintiffs and other current and former patients. Although Defendant discovered on May 31, 2023, that the cyberthieves had accessed 170,450 individuals’ private information in the data breach, Defendant did not notify the individuals identified as affected until July 28, 2023. More than two months later, Defendant disclosed that 411,000 people had been affected by the data breach, most of which were first notified on October 6, 2023.” This delayed notification was one of the factors the Court pointed to in not granting Defendant’s motion to dismiss Plaintiffs’ claims.

The Court also noted that Plaintiffs alleged that subsequent to the data breach, the cybercrime group “Karakurt” publicly claimed the responsibility for the cyberattack. Plaintiff further alleged that the “group exploits vulnerabilities or weak credentials of the computer network. . . . Although Karakurt’s primary extortion leverage is a promise to delete stolen data and keep the incident confidential, some victims reported Karakurt actors did not maintain the confidentiality of victim information after a ransom was paid.”

The bottom line is that cyberattacks have become increasingly common. The timeliness of notifying those affected can be a significant issue to be considered in light of the facts and applicable law(s) and regulation(s). Businesses that proactively consider their cyberthreat landscape and take preventive actions are more likely to save money in the long run, be more cybersecure, and more quickly mitigate the threat when a cybersecurity incidence is discovered. As Ben Franklin is quoted as saying, “An ounce of prevention is worth a pound of cure.”

© 2024 Alan S. Wernick

    Editor