New York Healthcare Organization Faces Potential Lawsuits After Cyberattack

Refuah Health Center in Spring Valley, NY, is facing potential lawsuits after it began notifying 260,740 individuals of a “data security incident” it recently discovered.

In a statement released on April 29, 2022, Refuah Health Center said it immediately launched an investigation after it found that unauthorized access to its network had occurred between May and June 2021:

“We recently discovered unauthorized access to our network occurred between May 31, 2021 and June 1, 2021. We immediately launched an investigation…which concluded on March 2, 2022, we discovered that a limited amount of personal and/or protected health information was removed from our network in connection with this incident…”.

According to the statement, the impacted information included the affected individuals’ full names and one or more of the following:

  • Dates of birth
  • Social Security numbers
  • Driver’s license numbers
  • Medical record numbers
  • Health insurance policy numbers
  • Medical treatment/diagnosis information
  • Credit/debit card information
  • Bank/financial account information

The statement went on to say: “Please accept our apologies that this incident occurred. We are committed to maintaining the privacy of personal and protected health information in our possession and have taken many precautions to safeguard it.”

Within days of the statement’s release, multiple law firms announced they were launching investigations into the breach. In a notice posted on May 12, 2022, Washington D.C. and San Francisco based Migliaccio & Rathod LLP said their firm “is currently investigating…Refuah Health…for failing to safeguard sensitive patient information…”.

The law firm’s notice also said the following: “Although Refuah’s investigation determined that patient information had been accessed in mid-2021, the company only began notifying victims of the incident in late-April of 2022. Due to this lapse in time between the breach and the notice to affected patients, hackers may have already been able to acquire and sell sensitive information and otherwise benefit from the fraudulent misuse of such information…”.

A similar notice was posted on May 12, 2022, on the website of the Ohio-based Lyon Firm:
“The Lyon Firm…is currently investigating Refuah Health Center data breach claims on behalf of plaintiffs nationwide.”

The following was taken from Lyon Firm’s web page regarding the investigation:

Can You Sue Following the Refuah Health Data Breach?

Entities that collect and store data have a duty to protect personal information to the best of their ability. When they are negligent, and a data theft incident occurs, they may be liable for the following:

  • Improperly monitoring data security systems for existing intrusions
  • Not ensuring that vendors with access to computer systems and data employ reasonable security procedures
  • Improperly training employees in handling emails containing personal data and maintain adequate email security practices
  • Failure to implement technical policies and procedures to allow electronic data access only to individuals or software programs granted access rights
  • Failure to implement procedures to review reports and security incident tracking reports
  • Improperly protecting against reasonably anticipated threats or hazards to the security or integrity of stored data

An experienced class action privacy attorney can determine if you are eligible to file a data breach lawsuit or join a class of plaintiffs.

Veteran cybersecurity advisor, Frank Schmuff, who directs the cybersecurity division of the Virginia and Connecticut based firm Proxios, said he has been working with healthcare organizations across the U.S. urging them to prioritize and take even the most basic steps to secure their computer networks and data.

“It’s difficult to imagine, but only 2% of companies actually have adequately funded cybersecurity programs,” he said. “The problem is that cybersecurity is too often thought of in terms of compliance, bolted on by a checklist approach instead of built into a company’s core technology and infrastructure. Adding cybersecurity as an afterthought, as most companies do, doesn’t fix security risks. You have to have a security mindset right from the beginning, and then prioritize accordingly.”

Schmuff added: “There needs to be an appropriate amount of attention and prioritization from business leaders if we ever hope to get ahead of the threat. Urgency must be placed on creating a culture of security by design.”

In the past year, Proxios has seen a rise in cyberattacks hitting a variety of healthcare organizations. During this time, the company has identified 5 Critical Holes that make healthcare industry companies prime targets for an attack—and these holes should be buttoned up immediately, according to the company.

Proxios is offering a free consultation on these five items and can move quickly on helping organizations of all sizes take corrective actions. For companies that need an assessment of their IT environments and security posture, Proxios can create a full Cybersecurity and IT report in a timely manner.

To see if your company is at risk, please contact Proxios.

Call Client Services: 804-864-8511

Talk to Proxios

    Related Posts