Weitz & Luxenberg today initiated an investigation into the harm suffered by patients whose private health and financial records were hacked during a recent data breach in Indiana, the law firm announced.
Records of approximately 4 million patients found their way into criminal hands through the data breach, which occurred at a Fort Wayne electronic medical records company. W&L said its investigation seeks to determine the extent to which the hacking of information from Medical Informatics Engineering and a subsidiary — NoMoreClipboard — resulted in economic harm.
W&L said one such consequence is likely to be a wave of unauthorized credit transactions made by the hackers masquerading as the patients whose confidential personal information was stolen.
Data Breach Victims Have Legal Rights
W&L said patients economically harmed by disclosure of their private records may have a legal right to compensation from Medical Informatics Engineering and NoMoreClipboard.
“A court could order the companies to try to restore the injured patients to the position they were in before the data breach by paying each of them an award of money,” explained attorney James Bilsborrow of W&L’s Environmental and Consumer Protection unit.
“The amount of money awarded to each victimized patient would be tied to the dollar value of his or her loss arising out of the data breach, as well as associated statutory penalties,” he said.
Patients who have reason to believe their private information was hacked and then used for a criminal purpose following the Medical Informatics Engineering and NoMoreClipboard data breach may contact W&L for a free, no-obligation assessment of their legal rights.
The firm said patients may arrange for this evaluation by calling (212) 558-5786 or by submitting an online form.
Delay in Notifying Victims of Data Breach
The data breach was detected May 26, about three weeks after it occurred, Bilsborrow said.
Medical Informatics Engineering stated that it revealed this fact to its clients — 11 healthcare providers and 44 radiology imaging centers — on June 2. However, patients knew nothing of the data breach until July 17 — more than six weeks later, according to Robin L. Greenwald, who heads W&L’s Environmental and Consumer Protection unit.
“There are many unanswered questions related to this data breach, but among the most vexing is why the company did not notify the victims sooner,” said Greenwald.
“Had the data breach been disclosed sooner, those affected could have taken steps to protect themselves from identity theft and other economic harms,” she continued.
Although the data breach itself happened sometime around May 7, Medical Informatics Engineering indicated the compromised records date back to at least 1997.
“As a result, no one yet knows for sure how many patients actually were impacted by this data breach,” said Greenwald.
Medical Informatics Engineering estimated that no fewer than 3.9 million patients across the U.S. may have been victimized by the data breach. The company said 1.5 million of those patients live in Indiana.
Data Breach Exposed Patients’ Private Info
According to Medical Informatics Engineering, the data breach exposed the patients’ names, addresses, phone numbers, birthdates, Social Security numbers and medical records, along with account IDs, passwords and answers to security questions.
The company said the data breach also gave the hackers details about patients’ spouses and children.
“The confidential information taken in this data breach can provide identity thieves with more than sufficient information to conduct fraudulent credit transactions in the victims’ names,” Bilsborrow said.
“The law protects data-breach victims when they are accused of engaging in unlawful credit transactions of which they are innocent,” he said. “A data-breach victim should never have to pay the price for the negligence of a company to which they entrusted confidential information.”