Keystone Health Hit with Class Action Over 2022 Data Breach Affecting 235K Patients
Whitehead v. Keystone Health
Filed: October 25, 2022 ◆§ 1:22-cv-01678-CCC
A class action alleges Keystone Health failed to prevent a 2022 data breach that compromised the personal and health information of 235,237 individuals.
Pennsylvania
A proposed class action alleges Keystone Health failed to prevent a 2022 data breach that compromised the personal and health information of approximately 235,237 individuals.
According to the 60-page case, the healthcare provider's failure to implement adequate cybersecurity measures allowed cybercriminals to access its network between July 28 and August 19, 2022. The breach exposed the names, Social Security numbers and clinical health information of 235,237 patients, the filing relays.
The complaint claims that Keystone Health detected the cyberattack on August 19 but waited until October 14, 2022 to notify affected individuals.
"As a result of this delayed response, Plaintiff and Class Members had no idea their Private Information had been compromised, and that they were, and continue to be, at significant risk of identity theft and various other forms of personal, social, and financial harm," the suit states. "The risk will remain for their respective lifetimes."
The case argues that Keystone Health "intentionally, willfully, recklessly and/or negligently" disregarded patients' rights given the foreseeable nature of ransomware attacks. Cybersecurity firm Mimecast found that 90 percent of healthcare organizations experienced cyberattacks in 2020, the filing relays.
Per the complaint, Keystone Health has violated its obligations under the Health Insurance Portability and Accountability Act (HIPAA) by failing to properly secure or encrypt the sensitive data stored in its system. Moreover, Keystone Health has overlooked minimum industry standards for cybersecurity, Federal Trade Commission guidelines for data security and promises in its privacy policy to safeguard patients' information, the suit alleges.
The filing contends that Keystone Health "could and should have" implemented security measures recommended by the U.S. Cybersecurity & Infrastructure Security Agency or the Microsoft Threat Protection Intelligence Team but instead chose not to address its "computer systems in need of security upgrades" and "inadequate procedures for handling email phishing attacks, viruses, malignant computer code, [and] hacking attacks."
The lawsuit looks to represent anyone whose private information was actually or potentially accessed or acquired during the Keystone Health data breach.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.
Hair Relaxer Lawsuits
Women who developed ovarian or uterine cancer after using hair relaxers such as Dark & Lovely and Motions may now have an opportunity to take legal action.
Read more here: Hair Relaxer Cancer Lawsuits
How Do I Join a Class Action Lawsuit?
Did you know there's usually nothing you need to do to join, sign up for, or add your name to new class action lawsuits when they're initially filed?
Read more here: How Do I Join a Class Action Lawsuit?
Stay Current
Sign Up For
Our Newsletter
New cases and investigations, settlement deadlines, and news straight to your inbox.
Before commenting, please review our comment policy.