A lawsuit has been filed against LifeBridge Health over a breach of the protected health information (PHI) of patients that was caused by a malware infection on its servers. The Baltimore-based healthcare provider identified the malware infection in March 2018, although the malware was actually installed on its servers on September 27, 2016. The server was used to host the electronic medical records, patient registration and billing systems of LifeBridge Health.
For 18 months, the malware remained on its server during which time the PHI of about 530,000 patients was potentially stolen. The types of information stored on the server included names, addresses, birth dates, Social Security numbers, health insurance details, diagnoses, and treatment data.
The lawsuit was filed by the law firm Murphy, Falcon & Murphy. According to the lawsuit, the theft of patient data was due to the failure of LifeBridge to effectively secure patients’ highly sensitive and confidential information. further, the lawsuit alleges the breach resulted from “a serious lack of judgement and oversight” by LifeBridge Health. The organization failed to employ proper safety measures to secure the PII and PHI of patients, which allowed hackers to easily infect its systems for 18 months prior to being discovered. The lawsuit also alleges the breach resulted in serious harm to patients.
LifeBridge Health is accused of violating privacy protection laws in Maryland, including the Maryland Social Security Number Privacy Act, the Maryland Personal Information Protection Act, and the Maryland Consumer Protection Act.
Two defendants named in the lawsuit, Darlene Johnson and Jahima Scott, claim that they suffered identity theft and credit card fraud soon after the breach. The plaintiffs are seeking over $30,000 in damages.