Do you know who pays for a data breach?
Your first response may of course be the individuals who have had their data exposed. Those individuals pay with the time, stress, and potential risks associated with their data being exposed as well as the costs to monitor their personal information.
However, orthopedic practices and hospitals may also have to pay. Especially if the organizations are sued by the individuals who had their data exposed.
Northeast Orthopedics and Sports Medicine, PLLC is facing such legal action. The proposed class action comes in response to the November 2023 cyberattack that exposed the personal data of approximately 177,276 individuals.
The lawsuit claims that Northeast Orthopedics failed to protect the personal data of the individuals who had their information exposed during the cyberattack. In the lawsuit, it is alleged that the orthopedic practice failed “to properly secure and safeguard the personally identifiable information that it collected and maintained as part of its regular business practices, including, but not limited to, names, Social Security numbers, driver’s license information, payment information, and dates of birth (‘personally identifying information’ or ‘PII’) and medical and health insurance information….”
This is not the first class action to be filed against an organization after a data breach. OTW has covered a number of these lawsuits. For OTW’s previous coverage of organizations paying for data breaches, see “Bienville Orthopaedic Specialists Sued Over Data Breach,” “The Price of a Data Breach,” “Banner Health Agrees to Pay $6 Million for Data Breach,” and “Victims Can Sue Ortho Clinics if Data Hacked.”
Patients and other individuals have found that they can sue after their data is exposed and if the lawsuit is successful, the organizations have to pay. Do these continuing lawsuits indicate a growing trend? If this is a trend then it may indicate that orthopedic practices and hospitals not only need to be worried about cyberattacks but also about the threat of litigation after the cyberattack.
