The Vermont-based health system faced an attack in June of 2022.
The Big Picture
Lamoille Health Partners is a health system providing family medicine services, pediatrics, dentistry, mental health treatment, and more.
The organization is a non-profit funded in part by the U.S. Health and Human Services (HHS) Administration and has seven locations across Lamoille County, each offering varying services.
The breach was discovered on June 13th, 2022, according to a notice from Lamoille Health that has since been deleted.
Following the breach, Lamoille Health faced pushback and claims that the healthcare organization could have prevented the attack.
Now, nearly two years later, the healthcare company has reached a settlement with the plaintiff. They have agreed to pay $540,000 with no admission of wrongdoing. While the settlement has not been finalized, it is expected to pass in September.
The Breach
According to the data breach notification to Maine, the breach impacted approximately 59,381 individuals.
The breach occurred between June 12th and June 13th and was discovered on June 13th. In the breach notification letter, Lamoille Health said, “We discovered that an unknown unauthorized third party locked some of our files in a ransomware attack.”
The healthcare organization explained that the attacker locked Lamoille Health files and demanded a ransom for retrieval. The company said as soon as they learned of the attack they “promptly employed our established protocols and began securely restoring our systems from backups.”
Lamoille Health also said they notified law enforcement and began working with a cybersecurity firm to investigate the incident. The firm confirmed that certain documents were viewed and stolen by the malicious actor.
It was determined that the following information may have been accessed: names, addresses, dates of birth, Social Security numbers, health insurance information, and medical treatment information.
In response to the incident, Lamoille Health said they have “taken steps to reduce the risk of this type of incident occurring in the future, including enhancing our technical security measures.”
At the time of the notice, they did not believe any fraud or identity theft had occurred. They offered complimentary credit monitoring and identify theft prevention.
Despite the incident being a ransomware attack, news sources said the clinic did not have to pay money to regain access to its system. The attacker has not been identified.
The Lawsuit
On September 1st, 2022, a class action lawsuit was filed against Lamoille Health Partners (also known as LHP). The class action suit claimed Lamoille Health “allowed a third party to access Defendant LHP computer systems and data, resulting in the compromise of highly sensitive personal information bellowing to thousands of current and former patients of LHP.”
The lawsuit also claimed that Lamoille Health failed to provide adequate or timely notice of the data breach. While Lamoille Health claimed to have discovered the breach as early as June 13th, notification letters were dated August 10th.
The plaintiff argued that the data itself was held in a “reckless manner” on a “computer system and network in a condition vulnerable to a cyberattack.” The case argues that data was never encrypted, a key component of data protection.
Furthermore, the lawsuit argued that Lamoille Health failed to properly monitor their computer and IT systems.
The suit alleged that victims “suffered ascertainable losses in the form of the loss of the benefit of their bargain, out-of-pocket expenses and the value of their time reasonably incurred to remedy or mitigate the effects of the attack, emotional distress, and the imminent risk of future harm caused by the compromise of their sensitive personal information.”
Lamoille Health ultimately settled the case without admission of any wrongdoing. Under the settlement, Lamoille Health will provide $540,000 to cover claims from impacted individuals.
Class members may submit claims of up to $5,000 to cover unreimbursed, documented out-of-pocket expenses.
While the settlement is expected to pass, the case is still open for individuals to file for an exclusion or objection. A final approval hearing is scheduled for September 30th.
More information regarding the settlement and claims is available online.
What's Next
For Lamoille Health, the lawsuit closes one chapter in the organization’s story, just as another opens. The health system recently received additional funding to expand operations.
Senator Bernie Sanders secured $15.3 million for 13 projects in Vermont. $1.5 million will go to Lamoille Health and will be used for the construction of a third building, which will likely provide additional dental care for the community.
Lamoille Health is fortunate to be receiving funding even as it faces an expensive lawsuit. Many other healthcare organizations are not so lucky. Unfortunately, some hospitals, like Petersen Health, have gone bankrupt from breaches just like this one.
A Continuing Trend
The lawsuit against Lamoille Health doesn’t come as a surprise. Many organizations that have faced data breaches are now finding themselves in the same situation.
The public is growing increasingly aware of their privacy and data protection rights, which has triggered a slew of class action lawsuits against companies that could have done more to protect data.
Data breaches themselves are expensive–it’s estimated that revenue drops by 40% during an attack. Outside of this, organizations can expect to pay legal fees, fines, and face additional costs from improving their security.
Healthcare organizations have an obligation to protect patient data and are now beginning to be held accountable. While data breaches can be unpredictable, it´s up to organizations to do everything in their power to keep information secure.
How Cloudticity Can Help
In 2021 alone, it's estimated that 66% of healthcare organizations were hit by a ransomware attack. And threats are steadily increasing.
Cloudticity offers ransomware protection solutions designed to help organizations identify and stop attacks before they penetrate systems. Our services allow for quicker recovery and help organizations remain operational even when faced with an attack.
We’ve been managing protected health information in the cloud since 2011 and have never experienced a breach.
Learn more about our ransomware solution by scheduling a free consultation.