According to the alleged facts, “[o]n or before April 17, 2023, cyberthieves gained unauthorized access to Defendant’s information technology network. . . . [T]he criminal third parties accessed and exfiltrated private health and personal information (collectively ‘PII’), including social security numbers, of Plaintiffs and other current and former patients. Although Defendant discovered on May 31, 2023, that the cyberthieves had accessed 170,450 individuals’ private information in the data breach, Defendant did not notify the individuals identified as affected until July 28, 2023. More than two months later, Defendant disclosed that 411,000 people had been affected by the data breach, most of which were first notified on October 6, 2023.” This delayed notification was one of the factors the Court pointed to in not granting Defendant’s motion to dismiss Plaintiffs’ claims.
The Court also noted that Plaintiffs alleged that subsequent to the data breach, the cybercrime group “Karakurt” publicly claimed the responsibility for the cyberattack. Plaintiff further alleged that the “group exploits vulnerabilities or weak credentials of the computer network. . . . Although Karakurt’s primary extortion leverage is a promise to delete stolen data and keep the incident confidential, some victims reported Karakurt actors did not maintain the confidentiality of victim information after a ransom was paid.”
The bottom line is that cyberattacks have become increasingly common. The timeliness of notifying those affected can be a significant issue to be considered in light of the facts and applicable law(s) and regulation(s). Businesses that proactively consider their cyberthreat landscape and take preventive actions are more likely to save money in the long run, be more cybersecure, and more quickly mitigate the threat when a cybersecurity incidence is discovered. As Ben Franklin is quoted as saying, “An ounce of prevention is worth a pound of cure.”
© 2024 Alan S. Wernick