(844) 627-8267
(844) 627-8267

Patients sue Johns Hopkins for data leaked in MOVEit software breach; HHS probes ransomware attack that impacted 310,000 | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

Faced with several pending lawsuits stemming from a May ransomware attack that accessed the information of over 310,000 patients, Johns Hopkins is seeking to avoid being wrapped into proposed large-scale litigation against companies whose data was leaked in the breach.

Since Hopkins sent notification letters to the patients, students and employees whose confidential information was leaked when a Russian extortion gang breached the MOVEit software, six nearly identical complaints in Baltimore’s federal courthouse accused both the university and related health system of failing to take “reasonable” measures to protect their patients’ personal information.

The attack on Johns Hopkins Medicine’s data alone impacted over 310,000 people, according to an office of the U.S. Department of Health and Human Services that investigates breaches of protected health information. It’s not yet clear how many people affiliated with Hopkins had their data leaked in the attack on MOVEit, which also impacted Johns Hopkins University and the institution’s other related health systems.

The lawsuits filed by several patients who received a breach letter from Hopkins seek a class-action certification, and claim Hopkins negligently maintained sensitive data such as names, health billing records and Social Security numbers that were ultimately leaked in the breach.

A Hopkins spokesperson did not directly address the lawsuits when asked about them, but noted the institution “took immediate steps to secure our systems and are working closely with cybersecurity experts and law enforcement” after the attack that “impacted many large organizations and industries around the world.”

The suits in the U.S. District Court for Maryland claim the patients are at risk for future harm and have lost time dealing with the consequences of the May 31 breach. Only a few give specific examples — one complaint alleges a patient has been “receiving numerous scam phone calls asking for money” related to his medical treatment, and another says a patient found a fraudulent charge of $46.41 on her credit card after she received the notification letter.

The Morning Sun


Get your morning news in your e-mail inbox. Get all the top news and sports from the baltimoresun.com.

The plaintiffs seek monetary damages, as well as for a judge to order Hopkins to implement data security measures in the wake of the breach.

Three of the lawsuits also make claims against Progress Software Corp., the Massachusetts company that developed the widely used file transfer application. Five of them were still under consideration Thursday to join a proposed nationwide class-action litigation against companies that used MOVEit and had information leaked, as well as Progress Software itself.

U.S. District Judge George Levi Russell III has ordered a temporary pause on a few of the Maryland lawsuits as Hopkins argues against being included in the widespread litigation against Progress and others, instead asking to defend against the patients’ claims, joined together, in Maryland.

The claims against Hopkins are among several MOVEit breach lawsuits waiting for a federal panel to rule whether the matters can be consolidated and tried in a Minnesota courthouse. Hopkins, as well as two of the plaintiffs suing the institution, have filed motions arguing the cases against the health system are distinct from the flurry of litigation against Progress Software and companies that used MOVEit.

A spokesperson for the HHS Office of Civil Rights, which is investigating the breach, said the agency “generally does not comment on open or potential investigations.”

Those who received a letter from Hopkins stating their information was compromised in the breach can enroll in credit monitoring by calling 888-703-9247 on weekdays from 9 a.m. and 9 p.m.

Because of the scope of the widespread attack, those who don’t receive a letter from Hopkins are encouraged to monitor their bank accounts and credit reports for unusual activity, consider placing fraud alerts with the major credit bureaus, look out for suspicious emails or messages, and sign up for credit monitoring services.


Click Here For The Original Source.

National Cyber Security