Class Action Lawsuit Filed Against Lamoille Health Partners For Data Breach Of 60,000 Patients

A class action lawsuit has been filed against Morristown-based Lamoille Health Partners following a ransomware attack involving the PHI of 59,381 patients. On June 13, 2022, Lamolle Health Partners had detected suspicious activity on their network. Following a forensic investigation, the healthcare provider confirmed that an unauthorized third-party had gaineds access to its network the previous day. Prior to encrypting the data, information regarding patients’ names, addresses, birth dates, Social Security numbers, health insurance information, and medical treatment information were all obtained. Lamoille Health Partners immediately implemented protocols and securely restored its systems from backups and promptly notified law enforcement of the incident.

On August 11, 2022, Lamoille Health Partners issued breach notification letters to potentially affected individuals detailing how their information was accessed, what they can do to limit harm, and offered credit monitoring and identity protection services free of charge. The healthcare provider stated that the delay in issuing the breach notification letters was a result of the lengthy investigation they conducted to determine which information had been obtained by the malicious actors. 

After receiving the breach notification letters, a class action lawsuit was filed by the affected patients who had their PHI exposed to the hackers.The plaintiffs, represented by Burlington, VT, lawyer Matthew B. Byrne of Gravel and Shea, allege that Lamoille Health Partners failed to adequately protect their PHI by implementing insufficient security measures.The plaintiff, Patricia Marshall, contends that the healthcare provider is in violation of the HIPAA Security Rule and believes that she faces an ongoing risk of identity theft and fraud as a result of the organization’s negligence.

Additionally, the plaintiffs contend that the reason for the delay in notifying affected individuals was insufficient. Despite, the notification falling within the 60-day limit set by the Breach Notification Rule. The lawsuit has been filed in the U.S. District Court for the District of Vermont on September 1, 2022. The plaintiffs ask for both compensatory damages and injunctive relief, which would compel Lamoille Health Partners to implement additional safeguards to improve its data security.