BALTIMORE — Johns Hopkins University and Health System is being sued over a cybersecurity attack in May that affected their networks.
The breach impacted clients protected health information and personally identifiable information, including sensitive medical records and potentially social security, passport, driver’s license, and financial account numbers.
It’s remains unclear as to how many people had their private data exposed. According to the suit, that number could range somewhere between the tens or hundreds of thousands.
The class action lawsuit was filed in the federal district court of Maryland on behalf of a Hopkins client from Middle River, who claims she wasn’t notified about the breach until almost a month after it happened.
RELATED: Johns Hopkins impacted by widespread cyberattack, personal information may be affected
It accuses Hopkins of “intentionally, willfully, recklessly, or negligently failing to take and implement adequate and reasonable measures to ensure that Plaintiff’s and Class Members [information] was safeguarded.”
The client claims they suffer from anxiety and fear, that as result of the breach, they in the future could become the victim of identity theft, which would negatively impact them in many ways including financially.
In response to the lawsuit, Hopkins said they were one of several large organizations targeted at the time by hackers.
“Johns Hopkins University and Johns Hopkins Health System learned that our systems were among those affected by a broad-based cybersecurity attack that targeted a widely used software platform for transferring data files, called MOVEit,” Hopkins said in a statement. “This attack has impacted many large organizations and industries around the world.”
Hopkins also defended their handling of the situation.
“At Johns Hopkins, we took immediate steps to secure our systems and are working closely with cybersecurity experts and law enforcement. The privacy and security of Johns Hopkins community members and our patients is our highest priority, and we are actively in the process of communicating with impacted individuals. We also are making available resources and tools to protect against possible identity theft or fraud, and we encourage members of our community to visit our websites for more information.”
The lawsuit seeks to force Hopkins to pay plaintiffs an undetermined amount of restitution, and to upgrade their cybersecurity infrastructure.