Empress EMS, a New York-based ambulance service, is facing multiple class-action lawsuits after patient data was stolen during a ransomware attack. The attack was carried out by the Hive ransomware group, which gained access to Empress EMS’ network, stole files, and then encrypted them. Though the criminals gained access on May 26, 2022, the attack was not detected until July 14, 2022.
Empress EMS sent breach notifications to the affected patients, warning them that names, dates of birth, medical information, treatment records, prescription data, and other demographic were stolen by the group. For some patients, Social Security Numbers were also taken. These files were stolen on July 13. Empress EMS offered these individuals complimentary credit monitoring services.
Affected patients (up to 318,558 individuals) received breach notifications around September 9, 2022. The Office for Civil Rights (the primary HIPAA enforcement body) was also notified.
However, Empress EMS has since been subject to lawsuits. One, filed with the Manhattan Federal Court on behalf of Robert D’Agostini and others, alleges that Empress EMS did not adequately protect patient data, that it breached an implied contract, and violated New York General Business law. It also alleges that Empress EMS violated HIPAA.
The lawsuit also notes that Empress EMS did detect the attack for nearly two months, and that it took a further seven weeks to notify patients that their data was stolen. However, this is not a violation of HIPAA. Although HIPAA states that patients should be notified “without delay”, it also states that HIPAA Covered Entities have up to 60 days to notify affected individuals.
The suit also alleges that Empress EMS omitted key pieces of information from the breach notification letters. Specifically, the letters did not mention that Hive was behind the attack. The group – which claims to have stolen more than 100,000 Social Security Numbers to date – is notorious for stealing personal data. Additionally, the lawsuit alleges that 100,000 patients is not a “small subset” of the overall number, as was stated in the letter.
The lawsuit seeks class-action status, a jury trial, actual damages (or $50 per class member, whichever is higher), treble damages, and punitive damages.