A lawsuit filed with the Manhattan Federal Court alleges that Empress EMS, an ambulance service based in New York, was negligent in its duty to protect patient data after the private information of over 300,000 patients was accessed during a ransomware attack. The attack, which was initiated on May 26, 2022, was launched by the Hive criminal group. During the attack, the criminals gained access to EMS Empress’ network and encrypted patient files. The attack was not noticed until July 14, 2022.
During the attack, the Hive group gained access to patient files that contained sensitive information such as names, birthdays, diagnoses and treatment data, medical record numbers, prescriptions, and other demographic data. Social Security Numbers were also stolen in a subset of cases. EMS Empress sent breach notification letters to the 318,558 affected patients, warning them that their data was exposed, and offered complimentary credit monitoring to the patients whose SSN was also taken.
The Office for Civil Rights, which sits within the Department for Health and Human Services and oversees HIPAA compliance, was also notified.
A lawsuit on behalf of Robert D’Agostini and other affected patients has been filed against Empress EMS. The suit, filed with the Manhattan Federal Court, alleges that Empress EMS breached an implied contract, failed to protect patient data, and that it violated New York Business Law. The suit also alleges that Empress EMS violated the Health Insurance Portability and Accountability Act of 1996 (better known as HIPAA).
In the lawsuit, it is highlighted that Empress EMS did not detect that a breach had occurred for nearly two months. It then took a further seven weeks to notify affected patients. It should, however, be noted that HIPAA only requires that breach notification letters be disseminated within 60 days of the breach’s discovery. Even so, the Act also states that Covered Entities should notify patients without undue delay.
The suit alleges that key pieces of information were omitted from Empress EMS’ breach notification letters. For example, it claims that the assertion that only a “small subset” of patients had their SSN stolen was misleading as it affected 100,000 of the 318,558 patients. Additionally, the letters did not mention that Hive was behind the attack.
The lawsuit seeks class-action status, a jury trial, actual damages (or $50 per class member, whichever is higher), treble damages, and punitive damages.