Following a September 2020 ransomware attack and data breach that impacted 878,550 people, US Fertility is now facing a class action lawsuit for allowing it to occur.
US Fertility is one of the largest providers of support services to infertility clinics in the United States. The company discovered on September 14, 2020 that ransomware had been used to encrypt files and its databases. The investigation showed that the cybercriminals responsible for the attack stole files, some of which included protected health information, at some point between August 12 and September 14, 2020.
The class action lawsuit claims that US Fertility did not configure sufficient data security measures which resulted in plaintiffs Alec Vinsant and Marla Vinsant and class members suffering significant harm and placed them at a high risk of identity theft and fraud.
Names, addresses, dates of birth, driver’s license and state ID numbers, passport information, medical details/diagnosis information, medical record data, health insurance and claims information, credit and debit card data, and financial account details were obtained by the hackers.
The alleged harm caused by the attack and data breach includes the theft of personal data and its exposure to hackers, unauthorized charges on credit/debit card accounts, costs linked to the detection and prevention of identity theft and unauthorized use of financial information, damages due to accounts being inaccessible or unusable, inability to withdraw finances, costs and time connected with addressing the breach and stopping future negative consequences, and imminent and impending injury from potential fraud and identity theft as a result of personal information being place for sale on the dark web.
Class action lawsuits often claim that harm occurred, although in a lot of cases the lawsuits fail as the plaintiffs are unable to provide proof of injuries or losses suffered due to the data breach. That was the case with the proposed class action lawsuit filed against Brandywine Urology, which was recently thrown out by the Delaware Superior Court. Whether this lawsuit succeeds is likely to depend on whether the plaintiffs can provide proof that they have been harmed .
Plaintiff Alec Vinsant claims that a person used his Social Security number to fraudulently apply for unemployment benefits in Nevada a month after the data breach and plaintiff Marla Vinsant said her credit score had unexpectedly dropped by 50 points after the attack.
The lawsuit claims that US Fertility was on notice that the healthcare sector was being focused on by hacking groups and was conscious of the fact that data needed to be encrypted, yet did not do so, and US Fertility failed to adhere to Federal Trade Commission requirements for data security. The lawsuit alleges US Fertility was negligent, there was a breach of implied contract, unjust enrichment, and violations of the Nevada Deceptive Trade Practices Act.
The legal action is aiming for class action status, a jury trial, damages for plaintiffs and class members, reimbursement of out-of-pocket expenses and legal costs, and other relief. It also demands US Fertility put in place adequate data security policies and practices including encryption of sensitive data, erasure or destruction of class members PII, appropriate network segmentation, penetration tests, to provide additional security awareness training for the staff , and to be subjected to third-party security audits, database scanning, and firewall tests.