SimonMed Imaging failed to protect patient information before ransomware attack, class action lawsuit claims
SimonMed Imaging allegedly failed to protect patients’ personal information ahead of a recent ransomware attack, according to a class action lawsuit filed Friday.
Radiology Business reported news of the breach Feb. 14, with the Scottsdale, Arizona, practice claiming it had interrupted hackers before they encrypted data. A week later, Maricopa County resident Rosemary Hamermaster has now filed suit against SimonMed seeking a jury trial and damages of more than $5 million.
Hacker group Medusa has reportedly claimed credit for the attack, contending it has hundreds of GBs of data from the practice’s patients.
“This action arises from defendant’s failure to properly secure and safeguard plaintiff’s and hundreds of thousands of similarly situated class members’ sensitive protected health information and personal identifying information, which as a result, is now in a notorious criminal ransomware group’s possession,” according to the complaint, filed Feb. 21 in an Arizona district court.
SimonMed—which employs about 200 radiologists working across 170 sites in 11 states—reiterated its comments from earlier this month when the attack occurred.
"We believe we interrupted an attempted ransomware attack, but no data was encrypted. We are fully operational, as we immediately remediated and contained the situation,” Jenna Lloyd, chief marketing officer, told Radiology Business Tuesday.
According to previous reports, data involved in the breach included dates of birth, medical and diagnostic images and Social Security numbers, among other things. Medusa was reportedly seeking $1 million in cryptocurrency in exchange for the information, but it is unclear whether SimonMed paid the hacker group.
Plaintiff attorneys claim at least 132,000 individuals were impacted by the incident. They’re seeking punitive damages, attorney fees, a declaratory judgment and injunctive relief. The later could include SimonMed disclosing the full nature of the cyberattack and types of information exposed.
“The data breach has caused plaintiff to suffer fear, anxiety and stress, which has been compounded by the fact that defendant has still not fully informed her, or even the public, of key details about the data breach’s occurrence or the information stolen,” the complaint states.
The cyberattack is one of several recently suffered by radiology practices over the past year. Pinehurst Radiology Associates in North Carolina reported a data breach earlier this month, as did University Diagnostic Medical Imaging in the Bronx, New York. Along with ransomware demands, some have been forced to issue hefty payments for purportedly failing to protect patient information. In October, East River Medical Imaging PC of New York was ordered to pay $1.85 million to settle a class action lawsuit stemming from a cyberattack.
Marty Stempniak has covered healthcare since 2012, with his byline appearing in the American Hospital Association's member magazine, Modern Healthcare and McKnight's. Prior to that, he wrote about village government and local business for his hometown newspaper in Oak Park, Illinois. He won a Peter Lisagor and Gold EXCEL awards in 2017 for his coverage of the opioid epidemic.