A Class-Action Lawsuit Exposes Cybersecurity Failures
A significant data breach impacting the personal information of over 300,000 patients of Presbyterian Healthcare Services (PHS) has resulted in a class-action lawsuit filed against Thompson Coburn LLP, the law firm involved. The lawsuit, filed November 12th in an Illinois federal court, alleges negligence in cybersecurity practices by both Thompson Coburn and PHS, leading to the unauthorized access of sensitive data.
The breach, occurring between May 28th and 29th, 2024, compromised a wide range of sensitive information, including names, Social Security numbers, dates of birth, medical record numbers, patient account details, prescription information, and health insurance details. This law firm data breach highlights the increasing vulnerability of healthcare data and the critical need for robust cybersecurity measures across all sectors handling sensitive patient information.
The Extent of the Data Breach and its Fallout
The plaintiffs argue that Thompson Coburn and PHS failed to implement adequate protections against known cyber threats, leaving patient data vulnerable to cybercriminals. The lawsuit emphasizes the high value of healthcare data on the black market, where it’s frequently used for identity theft and fraud.
As Steve Alder of the HIPAA Journal explains, “There are so many more data breaches in the healthcare sector than in other sectors because healthcare data is more valuable on the black market than any other type of data.
This is because it takes longer for healthcare fraud to be discovered and stolen data can be used for longer compared to (for example) a stolen credit card which can be stopped as soon as the breach is discovered.” This law firm data breach underscores the severe consequences of inadequate cybersecurity in the healthcare industry.
Cybersecurity Shortcomings and the Rising Tide of Healthcare Breaches
This incident is not an isolated case. The lawsuit highlights a concerning trend of cyberattacks targeting not only healthcare providers but also their affiliated service partners, such as law firms that store extensive patient data. The average cost of a healthcare data breach in 2024 reached nearly $9.8 million, a stark reminder of the financial ramifications.
The U.S. healthcare sector experienced over 745 large-scale breaches in 2023 alone, impacting millions. This alarming statistic, coupled with the sector’s reliance on digital records and often outdated IT infrastructure, necessitates a significant upgrade in cybersecurity protocols.
The consequences extend beyond financial losses; breaches can severely disrupt patient care, potentially delaying or preventing essential treatments. Ransomware attacks can even lead to temporary shutdowns of critical systems, posing life-threatening risks.
Thompson Coburn’s Response and Next Steps
In response to the law firm data breach, Thompson Coburn LLP issued a public notice detailing the incident and subsequent actions. The firm stated that the compromised data may include sensitive details, and affected individuals received notifications specifying the compromised information.
While Thompson Coburn claims no evidence of identity theft or fraud, they’ve provided free credit monitoring and identity theft protection services to potentially affected individuals. They’ve also implemented enhanced security measures to prevent future incidents and have urged individuals to monitor their accounts for unusual activity.
A toll-free assistance line (1-866-629-7715) has been established for further information. Both Thompson Coburn and Presbyterian Healthcare Services have been contacted for comment but haven’t yet responded. This data breach serves as a cautionary tale for all organizations handling sensitive personal and medical information, emphasizing the critical need for proactive and robust cybersecurity strategies.
