Class-action lawsuit filed over cyberattack affecting thousands of patients

Listen to this article

A lawsuit seeking class action status has been filed against a doctors’ group after thousands of patients had their personal information compromised in a breach of the organization’s computer system.

The named plaintiffs are Tianna Worthey and Treshon Worthey, a parent and guardian of a minor child identified only as T.W.

They are represented by New York City attorney Philip M. Hines and attorney Kevin Laukaitis, in San Juan, Puerto Rico.

The defendant Greater Rochester Independent Practice Association (GRIPA) Inc. is “a physician led partnership between the eight affiliate hospitals of Rochester Regional Health and more than 1,500 physicians in western New York, the Finger Lakes region, and St. Lawrence County,” according to the complaint filed in state Supreme Court in Rochester.

In May 2023, “unauthorized third-party cybercriminals” accessed the information of patients stored on the GRIPA’s computer network with the intention of misusing the information, “including marketing and selling” the information, according to the suit.

“Plaintiffs and the class members remain, even today, in the dark regarding what particular data was stolen, the particular malware used, and what steps are being taken, if any, to secure their PHI (personal health information) going forward,” according to the suit.

“PHI are valuable commodities for which a ‘cyber black market’ exists in which criminals openly post stolen payment card numbers, Social Security numbers, and other personal information on several underground internet websites,” according to the complaint.

According to the complaint, personal information can be sold on the “dark web” at a price ranging from $40 to $200. Bank details have a price range of $50 to $200, the suit claims. And a stolen credit or debit card number can sell for $5 to $110. Criminals can also purchase access to entire company data breaches for $999 to $4,995, the suit claims.

According to a letter sent to affected patients, GRIPA is offering affected individuals an identity theft protection service, which includes one year of credit monitoring, and a $1 million insurance reimbursement policy.

The lawsuit estimates the number of individuals who had their data exposed is “hundreds of thousands.”

The compromised records include: Name, date of birth, test results, procedure descriptions, diagnoses, personal or family medical histories and other data.

The lawsuit accuses the GRIPA of “intentionally, willfully, recklessly, or negligently failing to take and implement adequate and reasonable measures to ensure that plaintiffs’ and class members’ (personal health information) was safeguarded.”

The complaint asks for a preliminary injunction requiring GRIPA to implement a variety of measures to protect the patient records.

“Unless a class-wide injunction is issued, defendant may continue failing to properly secure the PHI of class members, and defendant may continue to act unlawfully,” according to the complaint.

The complaint also seeks interest on any amounts ultimately awarded to class members, attorney’s fees, costs, and litigation expenses.

GRIPA was among 2,500 organizations, including government and other healthcare organizations, that were targeted by a simultaneous cyberattack, GRIPA officials wrote in an email.

“We continue to monitor this situation closely and we are not aware of any misuse of any personal information that may have been compromised as a result of this incident,” GRIPA officials wrote.

“We sincerely apologize that this incident occurred, and will continue to monitor the situation closely,” they wrote.

Editor’s note: The author of this article has been notified that he is among the people affected by the cyberattack.

[email protected] / (585) 232-2035