A class-action lawsuit was filed against a Scranton, Pa.-based cardiology group that took two months to reveal a data breach that affected more than 181,000 patients, The Times-Tribune reported June 26.
The lawsuit, filed in mid-June, seeks damages on multiple counts, including negligence, breach of fiduciary duty, breach of contract and unjust enrichment.
Commonwealth Health Physician Network-Cardiology, also known as Great Valley Cardiology, was hacked Feb. 2, but the breach was not discovered until April 13, the system said. The health system did not announce the breach for two months in order to conduct a forensic investigation to identify everyone affected.
Information obtained varied by person but included names, addresses, demographic information, Social Security numbers, driver's license and passport numbers, and credit card or debit card and bank accounts, as well as health insurance, claims and medical information.
Annmarie Poslock, a Commonwealth Health spokesperson, told The Times-Tribune that there was no indication the hackers used the information "in any way."
However, the lawsuit stated that the group's failure to notify victims of the data breach meant they were unable to take action to protect their information. One affected patient, Michele Jarrow, was alerted by the McAfee computer security software service that her private information was posted on the dark web.
"Once personal information is exposed, there is virtually no way to ensure that the exposed information has been fully recovered or contained against future misuse," the suit said. "For this reason ... Ms. Jarrow will need to maintain heightened measures for years, and possibly her entire life."
Ms. Poslock declined to comment, citing the active litigation.