An ambulance service in New York is facing a class action lawsuit for mishandling protected health information and failing to disclose a data breach as required by the Health Insurance Portability and Accountability Act. Robert D’Agostini filed suit last week against Empress Ambulance Service LLC dba Empress EMS.
The suit alleges negligence, breach of contract, and a violation of New York General Business Law §349 on Deceptive Acts and Practices. While referencing violations of HIPAA, the complaint does not include a count alleging damages under HIPAA. Rather, the suit claims federal jurisdiction as a class action pursuant to the Class Action Fairness Act, 28 U.S.C. § 1332(d).
Quoting from the complaint:
- In or around May 26, 2022, Empress experienced a data breach whereby unauthorized, third-party hackers gained access to Defendant’s internal systems through a ransomware attack.
- Empress did not detect this unauthorized access until July 14, 2022—almost two months later—at which point those third-party hackers had already exfiltrated the personal identifying information (“PII”) and protected health information (“PHI”) of approximately 318,558 individuals from Empress’ systems.
- This PII included, inter alia, those individual’s names, dates of birth, demographic information, diagnosis and treatment information, medical record numbers, dates of service, insurance information, prescription information, and social security numbers.
- Under statute and regulation, Empress had a duty to implement reasonable, adequate industry-standard data security policies safeguards to protect patient PII and PHI.
- Empress failed to implement such reasonable and adequate data safeguards and allowed third-party hackers to exfiltrate its patients’ PII and PHI.
- Empress unreasonably delayed in notifying Plaintiff and Class Members of the data breach until approximately September 9, 2022—despite having discovered the breach nearly two months earlier—when it disseminated letters informing Plaintiff and other Class Members that their PII and PHI had been compromised by the data breach.
- Even more egregiously, Empress’s Data Breach Notice sent to Plaintiff omits and misrepresents key information about the data breach.
- The Data Breach Notice did not disclose that the Hive Gang, a notorious ransomware group, had announced that they were behind the breach. Immediately following the data breach, Hive contacted Defendant by email, in which they claimed that they had downloaded Empress’ “most important information with a total size over 280 GB,” and claimed to have obtained over 100,000 social security numbers from Empress’ systems.
- This is in stark contrast to Empress’ Data Breach Notice and public disclosures, in which they claimed that only “a small subset of files” had been copied.
- Empress’ Data Breach Notice also failed to inform Plaintiff that the Empress data breach had been briefly listed on Hive’s leak website, and that files exfiltrated in the data breach have been discovered available for download on the dark web.
- As a result of Empress’s wrongful actions and inactions, patient information was stolen.
- Plaintiff and Class Members have had their PII and PHI compromised by nefarious third- party hackers, have had their privacy rights violated, have been exposed to the risk of fraud and identify theft, and have otherwise suffered damages.
- Plaintiff and Class Members bring this action to secure redress against Empress.
Here is a copy of the complaint. It is worth noting that the same allegations could be made against a fire-based EMS service under the same circumstances.