Court Recommends Dismissal of Practicefirst Breach LawsuitRansomware Incident Involved Data Exfiltration, Affected 1.2 Million
A New York federal court has recommended the dismissal of a class action lawsuit filed against medical practice management vendor Practicefirst in the aftermath of a 2020 ransomware attack that involved data exfiltration and affected the personal and health information of 1.2 million individuals.
The lawsuit against Amherst, New York-based Professional Business Systems, which does business as Practicefirst Medical Management Solutions, was filed last July by two main plaintiffs, Peter Tassmer and Karen Cannon, on behalf of themselves and others similarly affected by the company's December 2020 ransomware incident.
Like many similar decisions by other courts in other previous data breach cases, the U.S. District Court for the Western District of New York recommended on Tuesday to dismiss the lawsuit because plaintiffs' risk of identity theft or other injury was too "speculative" and not imminent.
Parties have 14 days to file objections to the court's recommendations to dismiss the case before a final ruling is made.
In its recommendations to dismiss, the New York court said it agreed with "numerous circuit and district courts" that have declined to grant standing in similar data breach lawsuits based on imminent risk of future identity theft, and where plaintiffs are unable to show that either their data or data of other victims of the data breach or cyberattack was actually misused.
The plaintiffs filed the lawsuit in the wake of a December 2020 ransomware attack on Practicefirst in which patient and employee data was obtained by hackers. The main plaintiffs in the lawsuit were patients of medical practices who contracted with Practicefirst and whose PHI and PII was stored on Practicefirst's computer systems, court documents say.
Practicefirst's services to medical practices include billing, bookkeeping, credentialing, coding and compliance.
In a sample breach notification letter that Practicefirst provided to the state of Maine's attorney general on July 1, 2021, the company said that on Dec. 30, 2020, it had "learned that an unauthorized actor who attempted to deploy ransomware to encrypt our systems copied some files from our system, including files that contain limited patient and employee personal information."
The company said it then shut down its systems, changed passwords, alerted law enforcement agencies and retained privacy and security experts to assist.
The notice said that information "copied" from Practicefirst's system by the unauthorized actor "before being permanently deleted" included names, addresses, email addresses, dates of birth, driver's license numbers, Social Security numbers, diagnoses, laboratory and treatment information, patient identification numbers, employee username and passwords, employee username with security questions and answers, and bank, credit or debit card information.
The lawsuit alleged, among a number of other claims, that Practicefirst's "wrongful actions, inaction and/or omissions" leading to the data breach and the unauthorized release and disclosure of plaintiffs' and other class members' PII/PHI, resulted in "the increased risk of future ascertainable losses, economic damages and other actual injury and harm."
The lawsuit also alleged negligence in Practicefirst's failure to protect the plaintiffs and class members' protected health information and personally identifiable information.
Practicefirst "owed this duty to Plaintiffs and the other Class members because … [they] compose a well-defined, foreseeable and probable class of individuals whom Defendant should have been aware could be injured by Defendant’s inadequate security protocols," the lawsuit alleged.
It sought damages and for Practicefirst to implement a long list of security improvements.
An attorney representing plaintiffs in the Practicefirst lawsuit did not immediately respond to Information Security Media Group's request for comment on the court's decision.
Practicefirst did not immediately respond to ISMG's request for comment.
'No Actual or Imminent Harm'
Some legal experts note that the New York court's recommendations to dismiss the Practicefirst class action lawsuit spotlight actual and imminent impediments to Article III standing.
"Concrete, particularized. Use whatever adjectives come to mind; certain courts will reject future, even likely risks, as some variation of 'nebulous' and find no actual or imminent harm sufficient to find standing," says technology attorney Steven Teppler, a partner at the law firm Sterlington PLLC.
"That said, the court applied the 2d Circuit harm test for standing - 'concrete, particularized, and imminent,' he says.
That includes exposure of plaintiff’s data as part of a targeted attempt to obtain data, whether any portion of data has been misused - even if plaintiffs themselves did not experience any fraud, and whether the type of data that has been exposed is sensitive, creating a high risk of identity theft or fraud, he says.
"What is interesting in the court’s conclusion, without any evidence, is that 'the primary purpose of a ransomware attack is the exchange of money for access to data, not data theft,'" he says, adding: "What the court fails to take into account is the exfiltration of healthcare information is valuable and is equally likely as not to be sold on the dark web.
"Indeed, the primary purpose of a ransomware attack is the exchange of money for access to data. The court also fails to take into account threat actors' 'aging' of PHI to lull victims into a sense of complacency before engaging in identify compromise."
While many courts have made decisions similar to the one made in the Practicefirst data breach case, not all courts have taken that route, some experts say.
"The federal courts have been working through a growing number of cases brought by consumers who allege they have been harmed when their personal information may have been compromised due to a cyberattack or ransomware event," says privacy attorney David Holtzman of the consulting firm HITprivacy LLC.
"Standards for how individuals demonstrate actual harm from misuse of their sensitive information or have reasonable expectation that they are at significant risk of being victimized is evolving on a case-by-case basis," he says.
Holtzman gives the example of how a 2015 class action lawsuit filed against health insurer Excellus Blue Cross Blue Shield in the wake of a cyberattack that affected 10.5 million individuals survived a motion to dismiss for lack of standing.
"The court ruled that the consumers in the case against Excellus established a concrete risk of future harm by alleging their information was available on the dark web in a proximate time frame to the cyberattack," he says.
A recently proposed settlement in the lawsuit against Excellus awaits final approval by a New York federal court. A hearing for the proposed settlement, which calls for Excellus to make a series of improvements to its data security practices and processes, is slated for April 23 (see: Proposed Settlement Calls for Health Plan to Bolster Security).