After
the pain of ransomware…
New
Jersey Hospital Network Faces Lawsuit Over Ransomware Attack
A
proposed class-action lawsuit has been filed against New Jersey's
largest hospital health network over a ransomware attack that
happened in December.
Threat
actors infected the computer systems of Hackensack
Meridian Health,
causing a system-wide shutdown on December 2. The attack disrupted
services at 17 urgent care centers, hospitals, and nursing homes
operated by the network.
News
of the attack was leaked to
the media on December 5. Eight days later, Hackensack
confirmed that it had paid an undisclosed sum to retrieve files
encrypted in the ransomware attack.
Now,
a proposed class-action lawsuit
has
been filed
in a Newark district court
by two plaintiffs seeking compensation, reimbursement of
out-of-pocket expenses, statutory damages, and penalties.
The
plaintiffs are also seeking to secure injunctive relief that will
require Hackensack Meridian Health to undergo annual data security
audits, make improvements to its security systems, and provide three
years of credit monitoring services to breach victims free of charge.
In
the 45-page complaint, the plaintiffs allege that Hackensack Meridian
Health failed to adequately protect patients' data. They accuse the
healthcare provider of running its network in a “reckless manner”
that left its computer systems vulnerable to cyber-attackers.
The
lawsuit further alleges that as a result of the attack, patients
suffered major disruptions to their medical care for two days and
were forced to seek alternative care and treatment.
(Related)
PIH
sued after notifying patients of phishing attack that could have
exposed their protected health information
On
January 24, I posted a breach
notification from PIH Health with a commentary on
how long it took from the time of the phishing attack to notification
of almost 200,000 potentially affected patients. There was nothing
in their notification, however, that suggested that patients had
actually had their protected health information stolen or misused.
Nor was their information destroyed or corrupted. Their information
was in email accounts and could have been accessed by an unauthorized
individual. From what I read, no patient had their care interrupted
or even delayed.
On
February 20, a potential class action lawsuit was filed against PIH.
The
complaint, filed in the
Central District of California with one named plaintiff,
Daniela Hernandez, does not describe any actual injury or harm that
Ms Hernandez suffered as a result of the breach, other than the usual
claims of imminent harm, costs, etc. The complaint also includes
counts under California and New Jersey laws.
The
complaint
was
filed by the same law firm as two
other class action lawsuits I
recently noted and it contains some of the same claims and language
that I thought were seriously exaggerated in the other complaints.
It
was a poor decision on PIH’s part, I think, not to offer affected
patients complimentary credit monitoring or restoration services, and
I did question the timeliness of the notification, but consider the
following allegations from the complaint:
As a direct and proximate result of Defendant’s breaches of its fiduciary duties, Plaintiff and Class Members have suffered and will suffer injury, including but not limited to: (i) actual identity theft; (ii) the compromise, publication, and/or theft of their Private Information; (iii) out-of-pocket expenses associated with the prevention, detection, and recovery from identity theft and/or unauthorized use of their Private Information; (iv) lost opportunity costs associated with effort expended and the loss of productivity addressing and attempting to mitigate the actual and future consequences of the Data Breach, including but not limited to efforts spent researching how to prevent, detect, contest, and recover from identity theft; (v) the continued risk to their Private Information, which remains in Defendant’s possession and is subject to further unauthorized disclosures so long as Defendant fails to undertake appropriate and adequate measures to protect the Private Information in its continued possession; (vi) future costs in terms of time, effort, and money that will be expended as result of the Data Breach for the remainder of the lives of Plaintiff and Class Members; and (vii) the diminished value of Defendant’s services they received.
I
am obviously unimpressed with these lawsuits and think they are only
going to drive up the cost of healthcare and cyberinsurance. Maybe
the legal community needs to speak up more about firms that are
filing suits like these.
Or
maybe I’m missing something and these suits are an absolutely
wonderful way to try to get healthcare entities to take greater
precautions against hacks and ransomware attacks because they’re
not motivated enough already? Maybe, but somehow I doubt that.
The
cost of poor management.
US
government fines Wells Fargo $3 billion for its 'staggering'
fake-accounts scandal
The
settlement with the Justice Department and Securities and Exchange
Commission, years in the making, resolves Wells Fargo's criminal and
civil liabilities for the fake-accounts scandal that erupted nearly
four years ago.
The
deal does not, however, remove the threat of prosecution against
current and former Wells Fargo employees.
Prosecutors
slammed Wells Fargo for the "staggering size, scope and
duration" of the unlawful conduct uncovered at one of America's
largest and most powerful banks.
So,
who doesn't Russia like? Perhaps we should be asking, what do Bernie
and Donald have in common?
Bernie
Sanders briefed by U.S. officials that Russia is trying to help his
presidential campaign
(Related)
Heated
Intelligence briefing relayed to Trump by House Republican allies
Republican
lawmakers vocally objected to an intelligence briefing assessment
that Russia prefers
President Donald Trump to win in 2020 — and Rep. Devin
Nunes of California, a close Trump ally, told the President about the
election meddling briefing afterward, according to a person familiar
with the matter.
More
concern about e-mug shots?
Kate
Allen and Wendy Gillis report:
Federal and provincial regulators are launching an investigation into whether Clearview AI, the company that makes facial recognition technology used by at least four Ontario police forces, breaks Canadian privacy laws.
The investigation was initiated “in the wake of numerous media reports that have raised questions and concerns about whether the company is collecting and using personal information without consent,” according to a joint statement.
Read
more on The
Star.
Not
everyone is concerned about facial recognition.
LEAKED
REPORTS SHOW EU POLICE ARE PLANNING A PAN-EUROPEAN NETWORK OF FACIAL
RECOGNITION DATABASES
A
POLICE INVESTIGATOR in Spain is trying to solve a crime, but she only
has an image of a suspect’s face, caught by a nearby security
camera. European police have long had access to fingerprint and DNA
databases throughout the 27 countries of the European Union and, in
certain cases, the United States. But soon, that investigator may be
able to also search a network of police face databases spanning
the whole of Europe and the U.S.
According
to leaked internal European Union documents, the EU could soon be
creating a network of national police facial recognition databases.
A report drawn up by the national police forces of 10 EU member
states, led by Austria, calls for the introduction of EU legislation
to introduce and interconnect such databases in every member state.
The report, which The Intercept obtained from a European official who
is concerned about the network’s development, was circulated among
EU and national officials in November 2019. If previous data-sharing
arrangements are a guide, the new facial recognition network will
likely be connected to similar databases in the U.S., creating what
privacy researchers are calling a massive transatlantic consolidation
of biometric data.
Google
is not out of the woods.
Google
reaches a settlement with state AGs after contesting consultants in
antitrust probe
The
settlement, which is pending in a Texas court, would allow the
consultants to continue to advise the states’ investigation but
also impose certain confidentiality restrictions on them, a source
told CNBC.
I
think every English class I ever took had a section on how to write a
letter. My students tell me they have not been taught how to write
an email.
The Best
Way to End an Email Professionally