April 24, 2024

Class action lawsuit targets Johns Hopkins University. after a health system data breach

A class action lawsuit in Maryland is targeting Johns Hopkins University after the affiliated health system was subject to a data breach in late May.

A class action lawsuit in Maryland is targeting Johns Hopkins University after its affiliated health system was subject to a data breach in late May.

The university system is being blamed for disclosing personal health information and personally identifiable data such as health and social security information numbers, according to a July 7 filing in Maryland federal district court.

“The total number of individuals whose data was exposed due to Johns Hopkins’ failure to implement appropriate security safeguards is unknown at this time but is estimated to be in the thousands/hundreds of thousands based on Johns Hopkins customers,” the filing said.

A patient named Pamela Hunter was listed as a plaintiff in one of three class action lawsuits against the system. The lawsuit said Hunter was not aware of a data breach or that the teaching hospital had the Baltimore County resident’s data.

​​​​​​Hunter received a letter about the potential data breach on June 24, according to the filing.

“The Plaintiff and the Class Members, even today, remain in the dark as to what data was stolen, the specific malware used, and what steps are being taken to secure their PHI/PII and financial information going forward,” the lawsuit said.

After the university and health system’s MOVEit software data breach, which affected other large agencies and entities, the school said it began investigating and securing private data.

“Until we have more information, we strongly encourage all students, faculty and staff – as well as dependents – to take immediate steps to protect your personal information as a precautionary measure,” said the system.

Hopkins said he will notify those affected by the breach as the investigation continues, and the university will provide resources such as credit monitoring services to those affected by the breach.

The HIPAA rule currently requires notification within 60 days of discovery of a breach of protected health information. That notice must contain information about the data breached, guidance for potential victims to protect their data, a description of what is being done to investigate, mitigate and prevent breaches and contact information for the entity.

This information was provided by Johns Hopkins on dedicated website for those looking for more information.

“We took immediate action to secure our systems and are working closely with cybersecurity experts and law enforcement to determine what information was compromised,” the organization said. “The attack had no negative impact on the operations of Johns Hopkins University or the Johns Hopkins Health System.”

Johns Hopkins University has not shared a public statement or filed a response to the class action complaint.

Get the latest news and daily headlines delivered to your email inbox by signing up here.

© 2023 WTOP. All rights reserved. This website is not intended for users located within the European Economic Area.

Leave a Reply

Your email address will not be published. Required fields are marked *