A law firm representing a healthcare organization is facing a class action lawsuit.
What happened
In May 2024, St. Louis-based law firm, Thompson Coburn, faced a data breach. According to their report, the hackers were able to access patient information from Presbyterian Healthcare Services, which was a client of the law firm. Accessed information included Social Security numbers, dates of birth and health information.
Thompson Coburn said they provide some legal counsel to Presbyterian for government billing and repayment.
Presbyterian Healthcare Services spokesperson, Amanda Schoenberg, said, “Unfortunately, we have learned that a law firm that we work with, Thompson Coburn LLP, experienced a data security incident that involved the protected health information of certain Presbyterian patients…While Thompson Coburn is sending letters to potentially impacted patients this week, the law firm does not have any indication that identity theft or fraud has occurred related to this incident.”
It’s believed that approximately 300,000 individuals may have been impacted. Schoenberg added, “We take the responsibility of protecting the privacy of our patients and members very seriously.”
What’s new
Now, the law firm and the healthcare center have become the focus of a class-action lawsuit. The suit was filed on November 12th in an Illinois federal court and accuses both parties of failing to properly secure the patient's personal and medical data. They argue that a number of inadequate protections made the threat difficult to prevent or recognize.
Lawsuits like these take time to go through the court system, but the vast majority settle before they ever go to trial. These suits are becoming increasingly common, with settlements often well into the million-dollar range.
Many organizations think they are too small to attack, but most attacks are based on opportunity, making it important for every organization to prioritize cybersecurity.
The big picture
For many healthcare organizations, lawsuits have become one of the largest incentives for protecting data. While the HHS only sometimes investigates the incidents, and most organizations say–but do not follow up–that they will improve cybersecurity, lawsuits seem to be one of the biggest, and perhaps only, consequences organizations face.
Despite the large disincentive, many organizations say that breaches are difficult or impossible to prevent due to cybercriminals’ increasing sophistication and evolving tactics. While breaches can be challenging to prevent, organizations must do their best to stop breaches.
The right tools and protocols can prevent the vast majority of breaches.
Related: HIPAA Compliant Email: The Definitive Guide