COLONIE — Two patients of Community Care Physicians have sued the medical group and its accounting firm over a late-2019 data breach and are seeking class action status for the estimated 170,000 other CCP patients potentially at risk.
The two complaints, one in state court and one in federal court, allege significant and long-lasting impacts from the ransomware attack, as their personal information is now available to identity thieves and fraudsters.
Not counting any recent changes amid the COVID-19 pandemic, Latham-based CCP is a major presence in the Capital Region medical community, with 2,000 employees serving 370,000 patients at 80 locations in eight counties.
CCP’s accounting firm, Colonie-based BST & Co. CPAs, suffered a computer breach in early December that exposed personal information of CCP patients.
CCP did not disclose this to the patients for more than two months, finally sending out a notice on Feb. 14 and advising them to take precautions to protect their identity.
In February, CCP and BST would not discuss how many people were affected. The new litigation offers details.
On May 27, lawyers for Elmer Robert Keach III of Albany filed a complaint against BST in state Supreme Court in Albany County. On June 12, lawyers for Eleanor Murray of Niskayuna filed a complaint against BST and CCP in U.S. District Court in Albany. Both complaints seek class action status for the case on behalf of Keach, Murray and others in the same situation as they are.
The complaints, written by separate lawyers for separate court systems, vary in language and mechanics but essentially lay out the same narrative: BST and CCP could have and should have prevented this breach, and they amplified its impact by waiting more than two months to report it to the victims, who now face anxiety and expense over their data being public.
The two lawsuits’ assertions and allegations include:
- BST failed to implement adequate cyber-security protocols and procedures.
- The breach was reasonably foreseeable given the high frequency of cyberattacks in the financial services and medical industries.
- The ransomware attack began Dec. 4 and was detected Dec. 7; had BST and its employees better monitored computer networks and systems, they would have detected it sooner.
- BST and CCP did not encrypt the protected health information they held, as specified in the HIPAA Security Rule; BST failed to adhere to the federal Safeguards Rule; and CCP failed to adhere to industry standards.
- CCP failed to train employees on even the most basic cybersecurity protocols.
- CCP has violated the covenant of good faith and fair dealing.
- Private information of 170,000 people was affected by the incident.
- Notification was not sent to affected patients until Feb. 14, 2020;
- CCP told consumers that BST’s investigation didn’t confirm an unauthorized individual had obtained their personal information, even though that information already had been published online.
- Data thieves can use the sensitive and confidential personal information they stole for a wide variety of misdeeds.
- Plaintiff and class members are at elevated risk of fraud and identity theft for years to come because of the breach; they may also have to incur out-of-pocket costs and spend time and effort for protective measures.
The complaints seek jury trials.
Keach seeks compensatory and punitive damages, reimbursement of out-of-pocket costs, payment for at last seven years of credit monitoring, and injunctive relief including improvement to BST’s data security systems.
Murray asks for damages, interest at the maximum interest rate allowable by law, injunctive and declaratory relief, costs, disbursements and attorney fees
CCP did not return requests for comment for this story. BST said it does not comment on pending litigation.
CCP said in a released statement in late February that it could not confirm any patient data had been compromised, and would not specify how many patients’ data had been put at risk.