Prestige and high rankings are no guarantee of cybersecurity strength. Healthcare institutions with stellar reputations can fall victim to cyber thieves who want to steal valuable protected health information (PHI). In this case, cyber thieves broke in to the network of Progress Software’s MOVEit program which Johns Hopkins University uses, and hospital patient data was compromised.
Johns Hopkins University and its Johns Hopkins Health System (Johns Hopkins) are facing at least two proposed class action lawsuits alleging negligence for failing to protect individuals’ private information against theft by cybercriminals. The lawsuits were filed in the U.S. District Court for the District of Maryland on July 7 and 10 respectively, and both stem from the data breach caused by the MOVEit file transfer program software that Johns Hopkins used.
Early last month Johns Hopkins disclosed that it had been notified by its third-party software vendor, Progress Software, of a technical vulnerability in its MOVEit software that allowed an unauthorized party to gain access to the Johns Hopkins server that hosted the MOVEit software on May 29, 2023, and was able to download Johns Hopkins’ documents off of this server. Hundreds of other organizations, large and small, in the U.S. and across the world have also had data stolen through the MOVEit breach.
Johns Hopkins has not disclosed how many individuals’ data was compromised, but the two pending lawsuits estimate the total to be in the thousands or tens of thousands.
Johns Hopkins described the type of information compromised:
“The information involved varied by individual but may have included one of more of the following: name, address, email address, phone number, guarantor information, general billing information, account number, date of birth, Social Security number, medical record number, health insurance information, information related to care received at Johns Hopkins, such as procedure information, location of service, treatment cost, diagnosis, medications, provider name, and/or date(s) of service.”
Lawsuits and Investigations are Costly
When breaches affect thousands of people at once, lawsuits are nearly guaranteed to follow. Lawyers who specialize in class action lawsuits advertise on the internet to find victims that may want to join, and after the first one or two respond, individuals can join later after the lawsuit is filed.
Whether the lawsuits ultimately succeed is difficult to predict without knowing more detail about what went wrong, and how much Johns Hopkins’ actions, or lack of actions, may have contributed. To succeed, the plaintiffs will need to demonstrate actual injury (not speculative future injury) and prove that the defendant’s conduct caused the damage. For more, see Thumbs Up or Down – Healthcare Data Breach Lawsuits.
In addition to the class action lawsuits, Johns Hopkins will be investigated by the Office for Civil Rights (OCR) the agency that enforces HIPAA since OCR investigates all breaches that affect 500 or more.
Business Associate Due Diligence is the Key
Covered entities like Johns Hopkins are required by HIPAA to monitor their third-party vendors that handle PHI. This means they must conduct due diligence to make sure their business associates follow HIPAA and do a regular Risk Analysis. Then they need to enter a business associate agreement with them.
Although the class action lawsuits pending in Maryland are not HIPAA lawsuits per se, since HIPAA does not allow for private lawsuits, the lawyers and the judges will be comparing Johns Hopkins policies and procedures to HIPAA because HIPAA represents a standard of care. The issue is whether Johns Hopkins was negligent in how it cared for patient data.
HIPAA Compliance Protects Data and Reduces Costs
In addition to maintaining your own compliance, make sure your HIPAA Business Associates are in compliance.
Do your own annual Risk Analysis, use the Security Rule Checklist for your security risk assessment, and conduct business associate due diligence to shore up cybersecurity protections over patient data in your care. If your HIPAA compliance includes all of these steps, it is much less likely that a lawsuit alleging negligence will succeed.