Recently, a healthcare class action lawsuit was filed against Einstein Healthcare. The lead plaintiff in the healthcare lawsuit is patient Nanette Katz. In August of 2020, Einstein was the victim of a phishing attack that led to numerous employee email accounts being accessed by someone without authorization.
The 51-page complaint alleges Einstein Healthcare failed to secure and safeguard the protected health information (PHI) of patients, and failed to implement basic security procedures. As a result, the plaintiffs allege, their PHI has been accessed by cyberthieves, who may use the information to commit identity theft. More details about this healthcare class action lawsuit are discussed below.
Einstein Healthcare Class Action Lawsuit: The Facts
Einstein Healthcare is a non-profit health system that operates four hospitals – Einstein Medical Center Philadelphia, Elkins Park Hospital, MossRehab in Elkins Park, and Einstein Medical Center Montgomery – and multiple outpatient and primary care clinics throughout the greater Philadelphia area.
In August 2020, Einstein suffered a phishing attack that led to unauthorized access to its employee email accounts. The unauthorized medical breach lasted from August 5, 2020 to August 17, 2020, and exposed the PHI of approximately 350,000 patients.
The exposed information includes names, dates of birth, account/medical record numbers, diagnosis and treatment information, Social Security numbers, and health insurance information.
On October 9, 2020, Einstein reported the incident to the Department of Health and Human Services (HHS). That same day, Einstein began to notify affected patients of the breach by mail. As Einstein conducted additional investigations, it sent further notifications to patients in January and February of 2021.
Einstein Healthcare Class Action Lawsuit: The Allegations
Following the medical breach, Einstein, as required by law, implemented additional security measures to prevent further medical breaches. This included retraining its workforce on suspicious email detection. These efforts were insufficient for lead plaintiff Nanette Katz, who alleged she first received a breach notification in January of 2021, more than 6 months after the incident. The healthcare class action alleges that breach responses to patients were not only untimely, but failed to provide basic details concerning the breach.
The healthcare class action seeks monetary damages for the plaintiff and other class members. It also seeks an order requiring Einstein to implement reasonably sufficient safeguards to prevent further medical breaches. Finally, the healthcare class action seeks an order requiring Einstein to fully disclose the details of the nature and extent of data compromise.
Einstein, What’s Your Damage?
Whether monetary damages will be awarded is not certain. As is the case with healthcare lawsuits generally, to be awarded damages, a plaintiff must prove evidence that he or she has suffered tangible financial harm. Monetary damages in a healthcare lawsuit include, for example, lost wages or reimbursement for medical expenses – items whose monetary value can be measured. If plaintiffs can only speculate that they sustained monetary damages, a court will not issue these damages. This principle was most recently stated in a federal court of appeals case, Pruchnicki v. Envision Healthcare Corp.
In that case, defendant Envision Healthcare’s systems were breached, resulting in the compromise of patient data. However, Although plaintiff had not suffered identity theft or fraud, she alleged that such criminal activity is “imminent and certainly impending.” The court rejected the allegation as speculative. The court held that the plaintiff’s allegation of “imminent and impending injury of potential fraud and identity theft” were insufficient to support her claim. The court also rejected plaintiff’s claims that she was entitled to damages for “lost time” spent reviewing credit reports, finding that plaintiff must have shown that she incurred actual out-of-pocket expenses in reviewing those reports to allege damages.
