Cardiovascular Associates Sued Over Recent Data Breach

The Alabama-based organization allegedly failed to meet its obligations under the FTC and HIPAA.

By HFT Staff


Cardiovascular Associates in Alabama is facing a class action lawsuit over a recently reported hacking incident in which patients protected health information (PHI) was stolen. The security incident was detected on December 5, 2022, and the forensic investigation determined hackers had access to its network for a week and exfiltrated files containing the PHI of 441,640 individuals, including names, addresses, birth dates, Social Security numbers, driver’s license numbers and health, insurance and billing/claims information. 

The lawsuit was filed on March 15, 2023, by the law firm Milberg Coleman Bryson Phillips Grossman PLLC on behalf of plaintiff, Samuel Lee. The lawsuit alleges Cardiovascular Associates “intentionally, willfully, recklessly or negligently” failed to implement reasonable and appropriate safeguards to ensure the confidentiality, integrity and availability of patient information, failed to meet its obligations under the Federal Trade Commission (FTC) Act and HIPAA and did not implement cybersecurity measures to industry standards, such as those detailed in the NIST Cybersecurity Framework. 

The lawsuit claims the plaintiff and other similarly situated individuals have suffered injury as a result of the conduct of Cardiovascular Associates, including invasion of privacy, lost or diminished value of private information, and lost opportunity costs from attempting to mitigate the consequences of the data breach. The plaintiff and class members now face an increased risk of identity theft and fraud as their private information is now in the hand of cybercriminals. As such, they will have to spend time and money protecting their identities, including paying for credit monitoring and identity theft protection services for years to come. 

The lawsuit states 10 causes of action: negligence, negligence per se, breach of implied contract, unjust enrichment, breach of fiduciary duty, wantonness, intrusion upon seclusion/invasion of privacy, declaratory judgement and violation of the Alabama Deceptive Practices Act. 

The lawsuit seeks class action status, a jury trial, attorneys’ fees, and an award of damages, including actual, statutory, nominal and consequential damages. The lawsuit also seeks injunctive relief and provides a 17-point list of measures that should be implemented. These include encryption of data, deletion of identifying information unless there is a reasonable justification for retention, the implementation of a comprehensive information security program, independent penetration tests and security audits, third-party automated security monitoring, regular database scanning, annual information security training for employees, and the appointment of a qualified and independent third-party assessor to conduct a SOC 2 Type 2 attestation annually for a period of 10 years. 



March 30, 2023


Topic Area: Information Technology , Safety , Security


Recent Posts

The Future of Backup Power Systems in Healthcare Facilities

Manufacturers discuss what trends are shaping the future of backup power systems in healthcare.


Infection Control is Key to Ongoing Measles Outbreak

Infection control is essential to protecting both patients and staff from contracting measles.


Kaiser Permanente to Open New Parker Medical Offices

It also announced it's in the early stages of planning a rebuild and expansion of its Westminster Medical Offices.


Skanska Completes Renovation for New Sutter Health Care Center

The new facility will provide internal medicine, family medicine, pediatrics, as well as lab and imaging services.


Probiotic Cleaners: The Start of a Cleaning Revolution?

Advantages of probiotic cleaning include fewer resistant genes and cost savings through decreased antibiotic use.


 
 


FREE Newsletter Signup Form

News & Updates | Webcast Alerts
Building Technologies | & More!

 
 
 


All fields are required. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

 
 
 
 

Healthcare Facilities Today membership includes free email newsletters from our facility-industry brands.

Facebook   Twitter   LinkedIn   Posts

Copyright © 2023 TradePress. All rights reserved.