A local law firm filed a class-action lawsuit against Baltimore-based LifeBridge Health on behalf of thousands of consumers whose personal information was compromised in a 2016 data breach.
Here are five things to know about the lawsuit:
1. In May, LifeBridge Health notified more than 500,000 patients that their personal information may have been compromised during a breach in September 2016. The health system learned of the breach after discovering malware on a server that hosts EMR data for the system's affiliated physician group and the shared registration and billing system for other LifeBridge providers in March 2018.
2. LifeBridge Health offered one year of free credit card monitoring and identity protection services to patients whose Social Security numbers were compromised. In an emailed statement to Becker's Hospital Review in May, LifeBridge Health said it did not believe patient information was misused.
"While we have no reason to believe patient information has been misused in any way, out of an abundance of caution, we are notifying potentially affected patients, as well as providing resources for those who have questions or concerns," the health system wrote in its prepared statement.
3. Baltimore-based law firm Murphy, Falcon & Murphy filed a statewide class-action lawsuit against LifeBridge Health Dec. 19 on behalf of the 530,000-plus Maryland consumers whose personal data were compromised in the breach. Murphy, Falcon & Murphy said Social Security numbers, birth dates and health insurance information, among other data, were stolen during the incident.
4. Murphy, Falcon & Murphy alleged hackers were able to access the LifeBridge Health server due to the health system's "failure to ensure the integrity of its servers and to properly safeguard patients' highly sensitive and confidential information," according to a news release from the law firm. The firm argued the 18-month privacy incident exposed patients to "serious harm."
"LifeBridge's failure to protect their patients' information demonstrates a serious lack of judgment and oversight," said Hassan Murphy, managing partner at the law firm. "LifeBridge should have implemented appropriate and adequate technological safeguards to prevent such a massive cyberbreach from occurring, and certainly should have notified its patients immediately after learning of the breach."
5. Murphy, Falcon & Murphy also alleged LifeBridge Health's conduct violated multiple privacy protection statutes in the state, such as the Maryland Personal Information Protection Act, the Maryland Social Security Number Privacy Act and the Maryland Consumer Protection Act.
A LifeBridge Health spokesperson told Becker's Hospital Review Dec. 20 the health system could not comment, as it had not received the lawsuit.