Class Action Claims Ascension St. Vincent’s Coastal Cardiology Failed to Prevent Data Breach Affecting Over 70K Patients

New to ClassAction.org? Read our Newswire Disclaimer

A proposed class action lawsuit accuses Coastal Cardiology P.C. of failing to properly protect the personal information of 71,227 patients from a “foreseeable” cyberattack reportedly discovered in mid-August 2022.

According to the 70-page lawsuit, an unauthorized third party accessed the network of Coastal Cardiology and compromised current and former patients’ sensitive data related to visits prior to October 5, 2021. The suit relays that the personally identifiable information (PII) and protected health information (PHI) accessed in the data breach included patients’ names, addresses, email addresses, phone numbers, Social Security numbers, clinical information, billing details, and insurance information.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

The case contends that the sensitive data on Coastal Cardiology’s network was stored in a “vulnerable” and “dangerous condition,” and that the data breach was a direct result of the company’s failure to use “basic data security practices.” Had the defendant—who, after an October 2021 merger, does business as Ascension St. Vincent’s Coastal Cardiology—adequately monitored its computer systems, it would have detected the unauthorized access sooner, “rather than allowing cybercriminals unimpeded access to the PII and PHI,” the complaint charges.

The filing also takes issue with Coastal Cardiology’s alleged failure to provide timely notice to victims of the breach. Though the defendant learned of the cyberattack in mid-August 2022, letters were sent to those impacted by the breach two months later, in mid-October, the lawsuit says.

In the notice, the defendant claims that no Ascension networks or systems were affected by the so-called “security event,” and that the impact was limited to patients of Coastal Cardiology prior to October 5, 2021, the suit explains. The defendant also relays in the notice that because the private information was encrypted by the hackers, Coastal Cardiology is unable to inform victims of what precise data was stolen, the case says.

By collecting and storing patients’ sensitive information, the Georgia-based medical practice had a legal obligation to protect it from ransomware attacks, the complaint charges. The filing argues that this was “foreseeable” as “[t]he significant increase in attacks in the healthcare industry, and attendant risk of future attacks, is widely known to the public and to anyone in that industry, including Defendant Coastal Cardiology.”

The plaintiff, a Georgia resident and patient of Coastal Cardiology since before the merger, received notice in October 2022 informing her that her Social Security number was among those that were compromised, the lawsuit relays. Regarding the notice, the plaintiff was “especially alarmed by the vagueness” of its description of what particular private information was stolen, the suit says.

As the complaint tells it, the plaintiff has received since the data breach numerous spam calls, texts, and emails and has also received mail addressed to her maiden name—something she never uses but was stored in the defendant’s network. Like other victims of the cyberattack, the plaintiff now faces a significant risk of fraud, identity theft, and other illegal activities for years to come, the case argues.

The lawsuit looks to represent anyone whose personal information was compromised as a result of the data breach detected by Coastal Cardiology in August 2022, about which it sent notice in October 2022.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.