Milberg Files Lawsuit Over Lamoille Health Partners Data Breach
by Brian Eckert
Milberg Coleman Bryson Phillips Grossman (“Milberg”) attorneys Gary M. Klinger and David K. Lietz have filed a class action lawsuit in U.S. District Court for the District of Vermont in response to a data breach incident at Lamoille Health Partners, Inc. that exposed the personal information of nearly 60,000 patients.
In an acknowledgement that impacted patients are at risk of imminent threat of financial fraud and identity theft, Lamoille has offered credit and identity monitoring services to victims. But Milberg’s lawsuit argues that these measures do not go far enough and seeks additional remedies that include compensatory damages and reimbursement for out-of-pocket costs.
If your personal information was exposed in the Lamoille Health cybersecurity incident, you may automatically be eligible to join this class action case.
Lamoille Suffered Ransomware Attack in June 2022
Lamoille admits in a data breach notice that on June 13, 2022 it discovered that it was the target of a ransomware attack. The provider subsequently worked with a cybersecurity firm to investigate the incident and concluded that “an unauthorized third party may have accessed and acquired certain documents from our systems between June 12, 2022 and June 13, 2022.”
According to Lamoille, cybercriminals may have accessed patient information that includes:
- Name, address, and date of birth
- Social Security number
- Health insurance information
- Medical treatment information
Some of this information qualifies as protected health information (PHI) as defined by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). HIPAA Journal reports that the breach affected 59,381 Lamoille Health Partners patients.
Suit Alleges Lamoille Failed To Implement Appropriate Safety Measures
A record number of data breaches were reported in 2021 across industries, rising 68 percent year over year to the highest ever total.
Last year, healthcare attacks exposed the information of 45 million individuals, up from 34 million in 2020 and 14 million in 2018. In light of these findings, a healthcare cybersecurity strategist at Critical Insight noted that “the healthcare industry is a prime target for attackers to monetize PHI and sell on the Dark Web or hold an entity ransom unable to deliver patient care.”
Plaintiff’s and Class Members’ unencrypted, unredacted Private Information was compromised due to LHP’s negligent and/or careless acts and omissions, and due to the utter failure to protect Class Members’ Private Information.
In recent years, there have been numerous high profile data breaches at healthcare companies. The substantial increase in cyberattacks against the healthcare industry makes the risk of such attacks not only foreseeable, but likely. But as alleged in Milberg’s lawsuit, Lamoille failed to comply with cybersecurity industry standards and violated the HIPAA Security Rule.
“Plaintiff’s and Class Members’ unencrypted, unredacted Private Information was compromised due to LHP’s negligent and/or careless acts and omissions, and due to the utter failure to protect Class Members’ Private Information,” states the lawsuit filing. “Criminal hackers obtained their Private Information because of its value in exploiting and stealing the identities of Plaintiff and Class Members. The risks to Plaintiff and Class Members will remain for their respective lifetimes.”
Plaintiff Has Experienced Identity Theft and Fraud From Breach
Lamoille said in an August 11 statement that it “has no reason to believe that any personal information has been misused for the purpose of committing fraud or identity theft.” However, this statement directly contradicts the experience of the lead plaintiff in Milberg’s lawsuit.
Plaintiff and Class Members have been exposed to a heightened and imminent risk of fraud and identity theft.
The plaintiff, a Vermont resident, received a data breach notice from Lamoille in August. Later, they allegedly experienced identity theft and fraud when their Amazon account was accessed by an unauthorized third party.
Plaintiff has also received telephone calls from unknown parties stating that unauthorized parties had purchased computers on their Amazon account. They have spent significant time and money trying to mitigate and address the harms caused by the Lamoille data breach and anticipate having to do so indefinitely.
“As a result of the Data Breach, Plaintiff and Class Members have been exposed to a heightened and imminent risk of fraud and identity theft,” the lawsuit states. “Plaintiff and Class Members must now and in the future closely monitor their financial accounts to guard against identity theft.”
The nationwide class action seeks to represent the following plaintiff group:
All persons residing in the United States whose Private Information was compromised in the data breach announced by LHP in August 2022.
Milberg: A Leading and Pioneering Class Action Firm
Milberg pioneered federal class action litigation and is a national leader in data breach litigation. Allegations made in the Lamoille data breach lawsuit are similar to those in recent Milberg actions against JDC Healthcare and Maxim Healthcare.