OakBend Medical Center Maintained Sensitive Info In ‘Reckless Manner’ Prior to 2022 Data Breach, Class Action Says

New to ClassAction.org? Read our Newswire Disclaimer

A proposed class action alleges Texas-based OakBend Medical Center maintained sensitive information in “a reckless manner” prior to a ransomware attack in September that reportedly compromised more than one million patient records. 

The 44-page suit says “inadequate security practices” on the part of the Greater Houston-area medical service provider, with over 1,200 employees and 50 locations, allowed cybercriminals to access sensitive files before then encrypting those files and demanding from OakBend a ransom payment in exchange for the decryption key. 

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here. 

According to the suit, the “particularly infamous and dangerous” hacker group “DaixinTeam” has claimed responsibility for the incident, purporting to have stolen more than one million patient records. The information compromised in the cyberattack includes names, dates of birth, patient treatment details and Social Security numbers, the case says. 

“Now, the group warns that it will release a ‘full leak’ of the stolen data,” the complaint relays, adding that the hacker group was responsible for past data breaches involving healthcare facilities, including a Missouri-based hospital, whose information later ended up on the dark web. 

The case charges that a cyberattack was a known risk to OakBend Medical Center, who was thus on notice that failing to take necessary precautions to secure the sensitive data in its care “left that property in a dangerous condition.” Further, the defendant failed to properly monitor the computer network and IT systems that contained the information compromised in the cyberattack, which has now left proposed class members’ identities at risk and their information in the hands of data thieves, the lawsuit says. 

“As a result of the Data Breach, Plaintiffs and Class Members have been exposed to a heightened and imminent risk of fraud and identity theft,” the suit states. “Plaintiffs and Class members must now—and in the future—closely monitor their financial accounts to guard against identity theft.” 

According to the suit, DaixinTeam has already publicly leaked some of the data stolen from OakBend. 

The case charges that OakBend failed to implement basic data security practices and comply with industry standards and Federal Trade Commission guidelines in the run-up to the data breach. Moreover, the unauthorized disclosure of patient information is a violation of the Health Insurance Portability and Accountability Act (HIPAA), the suit alleges. 

To date, the lawsuit says, OakBend has done nothing to help data breach victims, other than offering 18 months of free credit monitoring. 

Neither of the two plaintiffs has thus far received any warning or notice from OakBend about the ransomware attack, the filing states. 

The lawsuit looks to cover all United States residents whose information was compromised by the OakBend Medical Center data breach, including all persons who received notice of the incident. 

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.