Keystone Health Responsible for 2022 Data Breach, Class Action Alleges
Brake v. Keystone Rural Health Center
Filed: November 8, 2022 ◆§ 1:22-cv-01784-CCC
Keystone Health has been hit with a class action that claims it failed to prevent a data breach that compromised its patients’ personal and health information.
Keystone Health has been hit with a proposed class action that claims the healthcare provider failed to prevent a “foreseeable” data breach in 2022 that compromised its patients’ personal and health information.
The 58-page lawsuit alleges Keystone Health’s failure to implement adequate cybersecurity measures allowed cybercriminals to access its systems between July 28 and August 19 of this year. The breach exposed consumers’ names, Social Security numbers, dates of birth, health insurance information, personal addresses, and sensitive patient medical treatment details, the filing relays.
Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.
The complaint alleges that Keystone Health detected the cyberattack on August 19 but waited two months before notifying affected individuals on October 14. The plaintiff, a Pennsylvania patient who gave birth to her son in a hospital operated by Keystone Health, claims to have received letters stating that hackers gained access to her and her son’s private information.
According to the complaint, Keystone Health’s notice of the incident was short on specifics.
“Defendant’s notice was not just untimely but woefully deficient, failing to provide basic details, including, but not limited to, how unauthorized parties accessed its networks, whether the information was encrypted or otherwise protected, how it learned of the Data Breach, whether the Breach occurred system-wide, whether servers storing information were accessed, and how many patients were affected by the Data Breach.”
Additionally, Keystone Health has failed to disclose why it waited to alert patients after detecting the data breach, and if all the exposed data, and copies of the data, have been recovered or destroyed, the case contends.
According to the suit, the healthcare provider has offered the plaintiff and affected individuals 12 months of Equifax credit monitoring, which is “woefully inadequate” given that patients will risk falling victim to identity theft crimes for years to come.
The complaint alleges that Keystone Health “intentionally, willfully, recklessly, or negligently” left consumers’ personal information vulnerable and unencrypted, despite repeated warnings to safeguard personal and health information and highly publicized ransomware attacks within the healthcare industry.
Further, the filing contends that Keystone Health “could and should have” implemented security measures recommended by the U.S. Cybersecurity & Infrastructure Security Agency or the Microsoft Threat Protection Intelligence Team.
Per the case, Keystone Health has overlooked minimum industry standards for cybersecurity and failed to comply with Federal Trade Commission guidelines for data security. The healthcare provider has also violated its obligations under the Health Insurance Portability and Accountability Act (HIPAA) and breached its privacy policy to safeguard patients’ information, the suit alleges.
The lawsuit looks to represent anyone in the United States whose private information was compromised during the Keystone Health data breach discovered in August 2022.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.
Hair Relaxer Lawsuits
Women who developed ovarian or uterine cancer after using hair relaxers such as Dark & Lovely and Motions may now have an opportunity to take legal action.
Read more here: Hair Relaxer Cancer Lawsuits
Stay Current
Sign Up For
Our Newsletter
New cases and investigations, settlement deadlines, and news straight to your inbox.
Before commenting, please review our comment policy.