Radiology provider Akumin failed to protect patient info prior to cyberattack, lawsuit claims
A proposed class-action lawsuit in Florida claims that radiology and oncology services provider Akumin failed to protect sensitive patient information prior to a crippling cyberattack.
Gina Letizio of New Hampshire and her attorneys filed the complaint Dec. 27, seeking damages in excess of $5 million. Their concern stems from an October 2023 ransomware hack against the Plantation, Fla., firm forcing it to temporarily suspend services. The cyberattack came at a particularly inopportune time for Akumin, which was grappling with large debt payments, damages from a hurricane and declining revenues. The company filed for Chapter 11 bankruptcy protection less than two weeks after reporting the breach.
Letizio and others claim Akumin failed to properly safeguard sensitive information including Social Security numbers and other unique identifiers. This has left thousands of individuals at “imminent and ongoing risk” of fraud and identity theft.
“The data breach was a direct result of [Akumin’s] failure to implement adequate and reasonable cybersecurity procedures and protocols necessary to protect individuals’ private information with which it was entrusted for either treatment or employment, or both,” the complaint, filed in a Florida Southern District Court, states.
Akumin CEO Krishna Kumar, MBA—who recently sat down with Radiology Business to discuss the company’s February 2024 emergence from bankruptcy—shared a brief statement Thursday. He noted that the incident occurred under previous leadership and before lender Stonepeak took control of the company last year.
“While we cannot comment on specific litigation, Akumin has been keeping all stakeholders regularly informed of any updates from October 2023 through December 2024,” the company said, adding that further details can be found here.
Akumin first detected the breach on Oct. 11, 2023, and had restored most of its operations by November 2023. At the time, the company said it immediately secured networks and shut down systems. Seven imaging centers in Delaware and Florida remained shuttered for a longer period of time, Radiology Business reported previously.
Letizio and other impacted parties claim Akumin’s “unreasonable and inadequate” data security practices resulted in them suffering “numerous and concrete injuries and damages.” They also are faulting the firm for failing to immediately disclose the incident to impacted parties.
“The exposure of one’s private information to cybercriminals is a bell that cannot be un-rung,” the complaint states. “Before this data breach, plaintiff’s and the class’s private information was exactly that—private. Not anymore. Now, their private information is forever exposed and unsecure.”
Along with certification of the proposed class-action suit, Letizio et al. are seeking a jury trial to determine the exact amount in damages, fees and other costs. Others also have filed similar complaints, which would be folded into one action, if approved by a judge.
Several other radiology providers have been sued in recent years over cyberattacks. Those included East River Medical Imaging PC in New York, which in October agreed to pay nearly $2 million to settle a class-action suit.
Marty Stempniak has covered healthcare since 2012, with his byline appearing in the American Hospital Association's member magazine, Modern Healthcare and McKnight's. Prior to that, he wrote about village government and local business for his hometown newspaper in Oak Park, Illinois. He won a Peter Lisagor and Gold EXCEL awards in 2017 for his coverage of the opioid epidemic.