VUMC and Norton Healthcare Face Class Action Lawsuit

Class Action Lawsuit Filed Against Norton Healthcare Over BlackCat Cyberattack

Norton Healthcare based in Kentucky operates over 140 clinics and hospitals all across Kentucky and Southern Indiana. It is confronted with a class action lawsuit in association with a cyberattack and data breach in May 2023. Norton Healthcare has just exposed limited data regarding the attack; nevertheless, the BlackCat ransomware group made an announcement that it was responsible for the cyberattack and published some of the information exfiltrated from Norton Healthcare on its data leak website. The stolen data contained names, email addresses, addresses, birth dates, driver’s license numbers, Social Security numbers, government ID numbers, payment/financial establishment data, medical insurance companies, medical treatment data, medical diagnoses, prescription drugs, medical pictures, and laboratory test results. The breach report was submitted to the HHS’ Office for Civil Rights as impacting 501 persons since the number of affected persons is not yet determined.

On July 21, 2023, a class action lawsuit was filed in U.S. District Court on behalf of plaintiff Lanisha Malone and likewise situated persons whose sensitive information was stolen during the attack. Malone worked for Norton Healthcare from 2015 to 2022 and states her sensitive data was stolen and there were efforts to misuse that data already. The bank contacted Malone with regards to a suspicious $1,500 transaction on her debit card, which the bank blocked, but she has likewise gotten several letters and telephone calls regarding car installments that she doesn’t owe. She said that she spent two hours every week checking her accounts and credit statements for suspicious transactions and mentioned the attempted fraudulence has made her feel anxious and stressed because of worries regarding her personal and financial security.

In spite of the attack happening on May 9, Malone stated not receiving any notification from Norton Healthcare regarding the data breach and that Norton Healthcare did not give any reason as to why no notification letter was issued to any of the patients. The website notification on Norton Healthcare’s site states the investigation is in progress and that it is about to restore all functions.

The lawsuit wants class-action status, compensatory damages, a jury trial, and a court order demanding Norton Healthcare to send notifications to all impacted persons and enhance its security options to better safeguard patient data. The lawsuit additionally wants 10 years of free credit monitoring services for all affected individuals of the breach.

Lawsuit Filed Against VUMC Over Exposure of Healthcare Data of Transgender Patients to State AG

Vanderbilt University Medical Center (VUMC) based in Nashville, TN, has reported that the health documents of transgender patients were made available to Tennessee Attorney General, Jonathan Skrmetti, in association with a medical billing fraud investigation.

As per AG Skrmetti’s Chief of Staff, Brandon Smith, the health documents were requested for a case of medical billing fraud centered on VUMC and connected with other healthcare companies, instead of patients. The AG’s office did not explain the fraud investigation to protect the credibility of the investigative procedure.

VUMC has given gender-affirming care to individuals under 18 since 2018 and usually has about 5 surgical procedures per year. VUMC stated all operations, nothing of which was genital operations, were done on individuals above 16 years old with parental permission. VUMC has indicated that it made available patient documents to the state Attorney General after getting two civil investigative demands (CIDs); this move has led to substantial repercussions from the LGBTQ+ group. The Tennessee Attorney General possesses legal power in an investigation to demand that VUMC give all copies of patient health documents that are related to its investigation. VUMC was compelled to abide and did that, mentioned VUMC representative, John Howser.

Concerns were brought up concerning the disclosures considering the soon-to-be-introduced restriction on gender-affirming care for those under 18 in Tennessee. The state legislation will become effective on July 1, 2023, and will stop physicians from giving gender-affirming care to persons below 18 years old. The legislation has been questioned and although the restriction was partly blocked, forbidding surgical operations on minors but permitting puberty blockers and hormone treatments to be given, the 6th Circuit Court of Appeals removed that prohibition, reinstating the restriction on all gender-affirming care for those under 18.

From the date of the VUMC announcement, a number of persons have posted on social media websites claiming the medical record disclosures were a violation of HIPAA and patient privacy. HIPAA restricts disclosures of health records but allows disclosures with an administrative demand, which includes a civil or an authorized investigative demand, an administrative subpoena or summons, or an identical process approved by law. In these instances, the data given must be related to the query and if de-identified protected health information (PHI) cannot be reasonably presented. VUMC did not confirm the number of records disclosed in reply to the CIDs however stated the information demanded by the Attorney General was from 2018 and that the patients involved were registered in TennCare insurance plans. The people involved were informed by VUMC that their information was presented to the state Attorney General because of a civil investigation.

HIPAA allows but doesn’t call for healthcare companies to share patient information and VUMC was criticized because of not making a stand, though declining the request would just probably have deferred the disclosures. The impacted individuals are afraid that no matter what the result of the fraud investigation, the office of the Attorney General will already have a listing of persons that have gotten gender-affirming care. Brandon Smith indicated concern regarding VUMC’s decision to announce the disclosures and maintained the VUMC investigation had been going on since September 2022 and VUMC is giving data relevant to the inquiry starting December 2022.

The medical record disclosures have triggered the filing of a class action lawsuit by two impacted individuals who assert VUMC knew that the state is focusing on the transgender group, but still gave the patient documents to the Attorney General and thus broke the HIPAA Rules. The lawsuit alleges VUMC exposed the data of 106 people, which include persons with the state employees’ health plan along with their family members, individuals who get their health care via TennCare, and also the data of certain persons who weren’t patients of the VUMC Transgender Health Clinic. Based on the lawsuit, one more CID was given for all communications with VUMC’s Dr. Melissa Ciperski as well as the others employed at Centerstone concerning or associated with a possible gender dysphoria diagnosis of an individual obtaining mental health therapy at Centerstone.

The law company Herzfeld, Suetholtz, Gastel, Leniski & Wall, and Abby Rubenfeld filed the lawsuit and questions the amount of information given, which contained highly sensitive medical data such as photos of genitalia, private conversations with clinicians, sexual backgrounds, and the details of intimate partners, and the inability to offer de-identified data in reply to the CIDs.

Link copied to clipboard
Photo of author

Posted by

Mark Wilson

Mark Wilson is a news reporter specializing in information technology cyber security. Mark has contributed to leading publications and spoken at international forums with a focus on cybersecurity threats and the importance of data privacy. Mark is a computer science graduate.