Data Breach Lawsuit Claims Medical College of Wisconsin, IT Vendor Failed to Protect Patient Info from Hackers

New to ClassAction.org? Read our Newswire Disclaimer

The Medical College of Wisconsin (MCW) and a third-party IT vendor face a proposed class action lawsuit over a May 2023 cyberattack that compromised patients’ personal and medical data.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

In MCW’s November 2023 notice letter, the private medical college—which provides healthcare services at hospitals and clinics around Milwaukee and in eastern Wisconsin—announced that it had been impacted by a ransomware attack that targeted MOVEit, a file transfer tool owned by co-defendant Progress Software Corporation.

Per the notice, MCW learned that in late May 2023 an unauthorized threat actor had gained access to and potentially exfiltrated some of the college’s files through a vulnerability in the MOVEit software, compromising the private patient data stored therein.

The 44-page Medical College of Wisconsin data breach lawsuit shares that the cyberattack—reportedly perpetrated by a ransomware gang known as Clop—exposed patients’ names, dates of birth, Social Security numbers, health insurance applications and claim information. The MCW data breach also compromised certain healthcare data, including medical histories, conditions, treatments and diagnoses, dates of service, procedure details and medical record numbers, the suit says.

The case contends that MCW failed to implement reasonable data security practices to safeguard patient information and neglected to ensure its IT vendor maintained adequate cybersecurity protocols.

As a result of the defendants’ negligence, there were “significant vulnerabilities in MCW’s systems for cybercriminals to exploit,” the complaint alleges.

According to the filing, while MCW began to notify data breach victims in November 2023, Progress Software “continues to delay” notifying impacted individuals “[d]espite the enormity of the breach.”

The case charges that victims like the plaintiff, an MCW patient residing in Milwaukee, now face a lifelong risk of medical fraud, identity theft and other cybercrimes as a result of the defendants’ allegedly reckless conduct.

The lawsuit looks to represent anyone in the United States whose personal information was compromised, accessed or removed without authorization during the data breach involving the MOVEit platform vulnerability.

Are you owed unclaimed settlement money? Check out our class action rebates page full of open class action settlements.