June 29, 2023
In light of the recent massive PHI breach incident that sent shockwaves through the healthcare industry, the Commonwealth Health Physician Network-Cardiology, or Great Valley Cardiology (GVC), is now facing a lawsuit. Hackers successfully infiltrated the medical facility’s computer network, compromising the protected health information (PHI) of a staggering 181,764 individuals.
Table of Contents
Details of the Data Breach: Timeline and Impact on Patient Data
The discovery of the data breach on Great Valley Cardiology took place on April 13, 2023. However, a detailed forensic investigation revealed that the unauthorized access had commenced much earlier, precisely on February 2, 2023, two months prior. The compromised files, upon review, disclosed a wealth of sensitive PHI, including names, medical details, Social Security numbers, credit and debit card information, and even banking records.
To ensure transparency and responsible communication, GVC initiated the process of notifying affected individuals on June 12, 2023. However, the comprehensive nature of the investigation necessitated the careful identification of all impacted parties and the verification of their contact information before the official notification letters could be mailed. As part of the remediation process, those affected by the breach were offered the reassurance of 24 months of complimentary identity theft protection and credit monitoring services.
In response to why the breach wasn’t disclosed sooner, officials stressed that a thorough two-month forensic investigation was required to identify all those affected by the incident. Additionally, to ensure broader awareness, ample notice regarding the breach was posted on the official website of the Commonwealth Health Physicians Network.
Lawsuit Filed Against Great Valley Cardiology
Attorney Andrew W. Ferich from Ahdoot & Wolfson, PC, has filed a lawsuit against Great Valley Cardiology in Lackawanna County Court. The legal action is on behalf of plaintiff Michele Jarrow and other individuals affected by the privacy breach, resulting in the compromise of their protected health information.
Although the defendants have not identified any instances of patient information misuse following the breach, the lawsuit asserts that the exposed data poses an ongoing risk. With no guarantees of safeguarding the compromised information, the plaintiff and fellow class members now face the burden of protecting themselves from potential fraud and identity theft. This obligation may necessitate significant time and financial resources, potentially spanning many years or even a lifetime.
The plaintiff alleges that her security software alerted her to the distressing revelation that her personal information had surfaced on the dark web, thereby rendering it accessible to cybercriminals, including identity thieves. The implications of this breach highlight the urgency to address the broader issue of data security within the healthcare industry.
Impact on Affected Individuals: Identity Theft Risks and Notification Process
The lawsuit surrounding a healthcare data breach raises concerns about the failure to prevent unauthorized access and the delayed notification process, compounding the potential harm caused. According to the lawsuit, the affected individuals were only informed about the breach two months after its detection and a staggering four months after the incident occurred. As claimed by the lawsuit, these delays exacerbated the potential injury the victims suffered.
The lawsuit seeks to address the alleged negligence, breach of fiduciary duty, breach of contract, and unjust enrichment. Furthermore, it aims to attain class-action status, a jury trial, damages, and attorneys’ fees.
Healthcare data breaches often attract lawsuits. However, establishing Article III standing can be challenging, as plaintiffs need to demonstrate concrete injuries. On top of this, lawsuits relying solely on the future risk of injury or harm resulting from a security breach often struggle to attain standing, even when the stolen data has surfaced on the dark web.
Lessons Learned From the Great Valley Cardiology Breach
At the heart of the Great Valley Cardiology breach lies a striking revelation: the importance of cybersecurity in healthcare cannot be overstated. The breach, initiated by a sophisticated cyberattack, exposed a vast amount of confidential patient data. This incident highlights the critical need for healthcare organizations to adopt multi-layered security frameworks that incorporate advanced threat detection systems, robust access controls, and regular security audits.
Moreover, the significance of prompt and transparent communication becomes evident. Delayed notification can exacerbate the potential harm suffered by affected individuals, undermining their trust in the healthcare organization’s commitment to their privacy. Timely and comprehensive notification to affected individuals, regulatory bodies, and relevant stakeholders is crucial to mitigate the consequences of a breach. Establishing clear communication channels and having a well-defined incident response plan in place can facilitate the rapid dissemination of information, fostering transparency and demonstrating a commitment to patient privacy.
The Great Valley Cardiology data breach is a stark reminder of the urgent need for ongoing advancements in healthcare data security. Organizations must improve their cybersecurity posture, ability to identify threats, incident response plans, and ability to prioritize preventative actions to preserve patient data to prevent future PHI breaches.