Healthcare
,
HIPAA/HITECH
,
Industry Specific
California Firm Entangled In Litigation Related to Rhysida Ransomware Attack
Prospect Medical Holdings continues to face mounting legal and business fallout from the 2023 ransomware attack that disrupted IT operations at 16 of its hospitals for several weeks and resulted in a data breach that affected 1.3 million people.
See Also: Healthcare in The Cloud: Detecting and Overcoming Threats to Ensure Continuity & Compliance
That includes a Pennsylvania federal court ruling this week allowing plaintiffs to move forward with a proposed class action lawsuit against Prospect, as well as an ongoing legal dispute with a Connecticut healthcare organization that had planned to buy several Prospect hospitals – before the attack allegedly worsened conditions at the facilities.
On Tuesday, in a mixed ruling, a Pennsylvania federal judge granted Prospect’s motion to dismiss two counts in a proposed amended consolidated class action lawsuit filed in March against the California-based company, but ultimately allowed plaintiffs to pursue claims that they suffered concrete and imminent injuries stemming from Prospect’s data breach.
“Plaintiffs have Article III standing, and they have stated a plausible claim for relief under only some – but not all – of the causes of action that they have identified, so Prospect’s motion will be granted in part and denied in part, ruled U.S. district Judge Wendy Beetlestone.
“The amended complaint describes a plausible causal link between Prospect’s conduct and plaintiffs’ injuries,” the judge wrote.
“In late July or early August of 2023, the company suffered a data breach. Prospect’s data appeared en masse on the dark web later in August. It is reasonable to infer that this included plaintiffs’ personal information. At this early stage in the litigation, that is all that is needed to plead traceability.”
The amended lawsuit alleged that the Rhysida ransomware gang claimed responsibility for the attack, stating on its darkweb site that Prospect “kindly provided more than 500,000 SSN, passports of their clients and employees, driver’s licenses, patient files (profile, medical history), financial and legal documents!!!”
Rhysida claimed to have stolen 1 terabyte of unique files, as well as a 1.3 terabyte SQL database, the lawsuit alleges. Rhysida also claimed to have leaked 45% of all of the files the group exfiltrated from Prospect Medical Holdings that they had not yet sold, the complaint alleged (see: California Hospital Chain Facing Ransom Service Disruption).
“Class actions are becoming more common, and in fact the threat of this litigation is being used as additional leverage to coerce victim organizations into paying extortion demands by cybercriminals,” said Mike Hamilton, founder and CISO of security firm Critical Insight.
Two issues are key from the perspective of defending these suits – standing and traceability, he said. “Several states have passed or are considering legislation that would provide a ‘safe harbor’ against the private right of action if the organization can demonstrate that it has implemented a standard of cybersecurity practice that is consistent and compliant with regulatory obligations,” he said.
“The lesson to be learned here is that these standards of practice are not optional and ideally should be audited by a third party to be used as evidence during discovery that the event was not preventable.”
Other Legal Woes
Besides the proposed class action lawsuit moving forward, Prospect is also enmeshed in litigation with Yale New Haven Health, which in 2022 – prior to the cyberattack – had signed an agreement to acquire Prospect’s Waterbury and Eastern Connecticut Health Network hospitals (see: Fallout Mounting from Recent Major Health Data Hacks).
But in May, Yale New Haven Health filed a lawsuit against Prospect seeking to terminate the agreement (see: Some Prospect Medical Hospitals in Dire State Post-Attack).
Among other claims, Yale New Haven alleges in its lawsuit that Prospect’s 2023 ransomware incident and data compromise of the information of thousands of patients and employees “is evidence that Prospect failed to implement and maintain adequate technical, administrative and operational cybersecurity and privacy programs with appropriate controls, oversight, testing, personnel and investment.”
Prospect also has “been unable to provide Yale New Haven Health with sufficient information to confirm that the selling entities’ security posture is appropriate on a going-forward basis,” Yale New Haven Health’s lawsuit alleges.
For its part, Prospect in June filed its own lawsuit against Yale New Haven Health, alleging that Prospect declined the Connecticut healthcare entity’s demand to lower the price of its purchase to an undisclosed amount, below from the $435 million agreed upon in 2022, and that Yale New Haven Health violated terms of that contract.
A cyberattack and breach like the one at Prospect “will certainly have a negative effect on valuation of the entity, and in that event it should be anticipated and planned for that the acquiring entity will, at a minimum, seek to renegotiate terms – sometimes called ‘retrading,'” Hamilton said.
“This may be cause to halt the transaction until such time as valuation has recovered, versus taking the lower offer. That risk might be addressed through insurance or contractual covenants early in the acquisition process,” he said.
The drop in valuation caused by a cyber incident during an acquisition process is not without precedent, Hamilton added. “More than a billion Yahoo accounts were disclosed during a 2013 attack. Yahoo sold itself to Verizon for $4.48 billion, but the transaction was nearly derailed by the disclosure of the breach, and $350 million was cut from Verizon’s offer,” he said.
Prospect Medical did not immediately respond to Information Security Media Group’s requests for comment. Yale New Haven Health declined ISMG’s request for comment.