One Brooklyn Health System in New York discovered a massive data breach in November, 2022. More than 235,000 patients were affected. Last week a class action lawsuit was filed against them.
The hospitals affected by the incident were Brookdale Hospital Medical Center, Interfaith Medical Center, and Kingsbrook Jewish Medical Center, as well as several nursing homes and health clinics.
The first headache was EHR downtime – medical staff reverted to pen and paper to record their work and track patient care. That continued for weeks. Then came publicity problems and getting drawn in to New York politics. Now a HIPAA investigation is certainly underway with the Office for Civil Rights (OCR) which investigates all healthcare data breaches affecting 500 or more individuals. (Although the larger breach has not yet appeared on the OCR Breach Portal, it appears One Brooklyn filed a breach report on January 18, 2023, as affecting 500. One Brooklyn has also filed separate breach reports with the Maine and Montana Attorneys General, both noting that 235,251 individuals were affected.
On top of all this, on April 26, 2023 a proposed class action lawsuit was filed against the One Brooklyn Health System by an individual, Kiya Johnson, for herself and on behalf of all others “similarly situated”.
One Brooklyn’s breach notice posted on its website says an investigation into the incident determined that:
“an unauthorized actor acquired a limited amount of OBH data during a period of intermittent unauthorized access to OBH’s computer systems between July 9, 2022, and November 19, 2022.”
The notice indicates that the the unauthorized party accessed names, Social Security numbers, driver’s license and state identification numbers, dates of birth, financial account information, medical treatment information, prescription information, medical information, and health insurance information. After completing its investigation in late March, One Brooklyn began sending data breach notification letters to all affected individuals.
Class Action Lawsuit Alleges Negligence
The lawsuit filed in the Kings County Supreme Court in Brooklyn alleges that One Brooklyn (or OBH) was negligent by failing to adequately protect sensitive health and personal information, putting affected individuals at risk for identity theft and fraud. The lawsuit also alleges that One Brooklyn violated New York state consumer protection laws and failed to provide affected individuals with timely notification about the breach. The lawsuit is seeking monetary damages, restitution and injunctive relief.
Note the lawsuit does not allege failure to follow HIPAA, because HIPAA does not provide individuals with a right to sue. As a practical matter though, if the lawsuit reveals negligence in protecting patient privacy and security under state privacy and consumer protection laws, a strong case will be made that One Brooklyn failed to comply with HIPAA. The potential HIPAA violations will be pursued by OCR.
Benjamin Johns, of the law firm Shub & Johns LLC said:
“We are seeking to hold OBH accountable by requiring it to compensate victims of the data breach and to ensure that adequate security measures are implemented to prevent an event like this from happening again in the future.”
The lawsuit specifically asks that One Brooklyn be required to implement improved data security practices.
For its part, One Brooklyn (or OBH) explained in its breach notice:
“As part of its ongoing commitment to the privacy and security of information, OBH is reviewing its existing policies and training protocols related to data protection. Further, OBH implemented enhanced security measures and additional monitoring tools to reduce any risk associated with this incident and to better prevent similar incidents in the future. OBH has communicated with law enforcement and with healthcare authorities regarding this incident.”
Choices for One Brooklyn Health
Not much is known yet about the exact nature of the cybersecurity incident that set off the breach. We don’t know the specifics of how the unauthorized actor obtained access. As the lawsuit unfolds more may be revealed through discovery.
When OCR investigates under HIPAA, they will learn more, and if the investigation results in a settlement, OCR will publish a press release and the settlement agreement.
For now, the best path forward for One Brooklyn Health is to shore up its HIPAA compliance. In addition to reviewing its policies and procedures to make sure they’re up to date, One Brooklyn should conduct a new Risk Analysis, refresh its Risk Management plan, and conduct training for staff: general HIPAA training plus cybersecurity awareness training. All of this will be required anyway after any OCR investigation, and will likely be part of any lawsuit settlement.
It’s also just good HIPAA compliance – review, improve, and keep HIPAA Risk Management a priority year-round.