Netgain, CareSouth Face Class Action Over Dec. 2020 Ransomware Attack

New to ClassAction.org? Read our Newswire Disclaimer

Netgain Technology, LLC and CareSouth Carolina, Inc. face a proposed class action in the wake of a December 2020 ransomware attack that reportedly exposed a wealth of personal patient information to unauthorized parties.

According to the 52-page case, the “massive and preventable” data breach would not have occurred, or would have been discovered sooner, had Netgain and CareSouth implemented adequate cybersecurity measures. As a result of the defendants’ failure to safeguard patients’ information, those whose data was exposed in the breach now face a heightened risk of identity theft and fraud, the lawsuit alleges.

“Due to Defendants’ negligence and data security failures, cyber criminals obtained and now possess everything they need to commit personal and medical identity theft and wreak havoc on the financial and personal lives of hundreds of thousands of individuals for decades to come,” the complaint scathes.

The lawsuit states that Netgain, a cloud hosting and information technology services provider serving the healthcare and accounting industries, and CareSouth, a community health center client of Netgain, collect in the course of business an array of information about patients and consumers and thereby assume a duty to protect such information from unauthorized disclosure. The case alleges, however, that the defendants breached this duty of trust by allowing cybercriminals to infiltrate their network on December 3, 2020 and access patient data, including names and addresses, medical record numbers, dates of birth, Social Security numbers, health insurance policy and identification numbers, insurance claims, explanation of benefits statements, clinical notes, referral requests, laboratory reports, decision not to vaccinate forms, authorization requests for services, treatment approvals, records requests, immunization information, vaccine records, medical record disclosure logs, incident reports, invoices, correspondence with patients, student identification numbers, bank account numbers, employment-related documents, court documents, Drug Enforcement Agency certificates, payroll withholding and insurance deduction authorizations, benefit and tax forms, employee health details and medical records.

Per the case, Netgain paid “a significant amount of money” to the hackers in exchange for a promise that they would delete the data in their possession and not publish, sell or otherwise share the “highly sensitive” personal and medical information. The lawsuit argues that the notices sent by the defendants to proposed class members and state attorneys general imply that the affected data was left “unencrypted and unprotected.”

The suit goes on to allege that Netgain and CareSouth negligently waited six months after learning of the incident to notify those affected despite being fully aware that patients “were in danger as a result of the Data Breach.” Moreover, the defendants, in the aftermath of the breach, have done “very little” to protect those whose information was compromised, the case says, characterizing the companies’ offer of 12 months of free identity theft protection and credit monitoring services as “woefully inadequate” to compensate patients for the damages they’ve incurred.

“In effect,” the complaint relays, “Defendants are shirking their responsibility for the harm and increased risk of harm they have caused Plaintiff and members of the Class, including the distress and financial burdens the Data Breach has placed upon the shoulders of the Data Breach victims.”

Making matters worse, the suit says, is that the defendants have failed to regain the security of patients’ information given their ransom payment “will only encourage attackers to carry out these types of cyberattacks on Netgain’s system networks in the future,” and does not guarantee that the hackers will honor their promise to keep the stolen data to themselves.

Per the suit, the defendants have fallen short of their obligations under the Health Insurance Portability and Accountability Act (HIPAA), reasonable industry standards, common law, state statutory law and their own representations to properly safeguard patients’ sensitive personal and medical information.

The lawsuit looks to represent anyone in the U.S. whose personal and medical information was compromised as a result of the December 2020 data breach. Also proposed in the case is a subclass of CareSouth patients whose information was compromised in the incident.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.