Atlanta Women’s Health Group Data Breach Lawsuit Says OB/GYN Practice Waited 10 Mos. to Notify Victims

New to ClassAction.org? Read our Newswire Disclaimer

Atlanta Women’s Health Group, P.C., faces a proposed class action lawsuit over an allegedly “foreseeable” April 2023 data breach that went undisclosed to the OB/GYN practice’s tens of thousands of current and former patients for nearly a year. 

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here. 

The 95-page data breach lawsuit says that although Atlanta Women’s Health Group learned on April 12, 2023, that an unauthorized party had accessed its servers—and the sensitive personal health information contained therein—the practice only began to notify victims of the cyberattack in January 2024, 10 months after the incident. To date, Atlanta Women’s Health Group, one of the largest OB/GYN practices in the Southeast, has not explained the reason for the months-long data breach notification delay, the filing says. 

Atlanta Women’s Health Group serves roughly 300,000 patients over 400,000 annual visits, the case shares. According to the lawsuit, the Atlanta Women’s Health Group data breach in 2023 was due to inadequate cybersecurity, and proposed class members’ sensitive medical data is now in the hands of cyberthieves as a result of being maintained negligently and in a condition “vulnerable to cyberattacks.” 

“Plaintiff and Class Members must now and in the future closely monitor their financial accounts, credit reports, and tax returns to secure their accounts in an effort to deter and detect identity theft and fraud,” the suit reads, noting later that the practice does not know which specific patients’ data was compromised.

According to the case, Atlanta Women’s Health Group’s email notice of the data breach confirmed that an unauthorized user accessed certain files containing personal information, and the practice relayed that a forensic inquiry determined that though its electronic health record systems remained secure, the files that were in fact accessed contained certain protected health information. 

Per the complaint, the information exposed in the Atlanta Women’s Health Group cyberattack includes, but is not limited to, patients’ names, dates of birth, addresses, phone numbers, patient account numbers, medical histories, diagnoses, treatment plans, insurance data, and the details of pregnancies, abortions, sexually transmitted diseases, genetic conditions, mental health diagnoses and prescriptions. 

The suit contends that Atlanta Women’s Health Group expressly and impliedly ensured that patients’ data would remain confidential and secure and would not be disclosed to third parties. This arrangement included the understanding from patients that the practice would “take steps to implement adequate and reasonable cybersecurity procedures and protocols” to protect their data, the case stresses. 

Although Atlanta Women’s Health Group claimed in its data breach notice to have “secured evidence” that the hacker permanently deleted the stolen data, the lawsuit scathes that had the practice properly stored the information in the first place, “then the ‘unauthorized user’ would have had nothing to ‘delete.’” Moreover, the suit highlights that the practice has no proof of whether the perpetrator who carried out the cyberattack permanently erased the data and retained no copies of what was stolen.

“The January 30, 2024 email notice does not provide Plaintiff and other Class members with any proof that the ‘unauthorized user’ in fact ‘permanently deleted all compromised data.’ The notice does not explain why Defendant, or the Plaintiff and other Class members, should trust assurances about deletion of valuable, highly sensitive, [personally identifiable information] and [protected health information] from the same ‘unauthorized individuals’ who successfully conducted a targeted cyberattack against one of the largest OB/GYN practices in the Southeast for the purpose of acquiring that valuable, highly sensitive, personal data.” 

The suit adds that Atlanta Women’s Health Group was required under the Health Insurance Portability and Accountability Act (HIPAA) to notify data breach victims and the United States Department of Health and Human Services (HHS) within 60 days of the incident given that the breach involved more than 500 people.

“When Defendant finally did notify its patients about the Data Breach, it claimed that ‘in an abundance of caution’ it was notifying all patients, including those who are not affected,” the case reads. “If true, Defendant had even less reason to wait eight months after notifying HHS to notify its patients.” 

The Atlanta Women’s Health Group data breach lawsuit looks to cover all U.S. residents whose private information was accessed and/or acquired by an unauthorized party as a result of the data breach reported by the practice in January 2024, including everyone who received a notice about the data breach on or around January 30 of this year. 

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.