NY Ambulance Company Faces HIPAA-Related Class Action Suit Over Data Breach

Posted by: Curt Varone December 6, 2022 0

An ambulance service in New York is facing a class action lawsuit for mishandling protected health information and failing to disclose a data breach as required by the Health Insurance Portability and Accountability Act. Robert D’Agostini filed suit last week against Empress Ambulance Service LLC dba Empress EMS.

The suit alleges negligence, breach of contract, and a violation of New York General Business Law §349 on Deceptive Acts and Practices. While referencing violations of HIPAA, the complaint does not include a count alleging damages under HIPAA. Rather, the suit claims federal jurisdiction as a class action pursuant to the Class Action Fairness Act, 28 U.S.C. § 1332(d).

Quoting from the complaint:

  • In or around May 26, 2022, Empress experienced a data breach whereby unauthorized, third-party hackers gained access to Defendant’s internal systems through a ransomware attack.
  • Empress did not detect this unauthorized access until July 14, 2022—almost two months later—at which point those third-party hackers had already exfiltrated the personal identifying information (“PII”) and protected health information (“PHI”) of approximately 318,558 individuals from Empress’ systems.
  • This PII included, inter alia, those individual’s names, dates of birth, demographic information, diagnosis and treatment information, medical record numbers, dates of service, insurance information, prescription information, and social security numbers.
  • Under statute and regulation, Empress had a duty to implement reasonable, adequate industry-standard data security policies safeguards to protect patient PII and PHI.
  • Empress failed to implement such reasonable and adequate data safeguards and allowed third-party hackers to exfiltrate its patients’ PII and PHI.
  • Empress unreasonably delayed in notifying Plaintiff and Class Members of the data breach until approximately September 9, 2022—despite having discovered the breach nearly two months earlier—when it disseminated letters informing Plaintiff and other Class Members that their PII and PHI had been compromised by the data breach.
  • Even more egregiously, Empress’s Data Breach Notice sent to Plaintiff omits and misrepresents key information about the data breach.
  • The Data Breach Notice did not disclose that the Hive Gang, a notorious ransomware group, had announced that they were behind the breach. Immediately following the data breach, Hive contacted Defendant by email, in which they claimed that they had downloaded Empress’ “most important information with a total size over 280 GB,” and claimed to have obtained over 100,000 social security numbers from Empress’ systems.
  • This is in stark contrast to Empress’ Data Breach Notice and public disclosures, in which they claimed that only “a small subset of files” had been copied.
  • Empress’ Data Breach Notice also failed to inform Plaintiff that the Empress data breach had been briefly listed on Hive’s leak website, and that files exfiltrated in the data breach have been discovered available for download on the dark web.
  • As a result of Empress’s wrongful actions and inactions, patient information was stolen.
  • Plaintiff and Class Members have had their PII and PHI compromised by nefarious third- party hackers, have had their privacy rights violated, have been exposed to the risk of fraud and identify theft, and have otherwise suffered damages.
  • Plaintiff and Class Members bring this action to secure redress against Empress.

Here is a copy of the complaint. It is worth noting that the same allegations could be made against a fire-based EMS service under the same circumstances.

US_DIS_NYSD_7_22cv10122_d493489671e282_COMPLAINT_against_Empress_Ambulance_Service_LLC_d_Download

About Curt Varone

Curt Varone has over 45 years of fire service experience and 35 as a practicing attorney licensed in both Rhode Island and Maine. His background includes 29 years as a career firefighter in Providence (retiring as a Deputy Assistant Chief), as well as volunteer and paid on call experience. He is the author of two books: Legal Considerations for Fire and Emergency Services, (2006, 2nd ed. 2011, 3rd ed. 2014, 4th ed. 2022) and Fire Officer's Legal Handbook (2007), and is a contributing editor for Firehouse Magazine writing the Fire Law column.
© Copyright 2017, All Rights Reserved. | FireLawBlog.com & Curt Varone | Privacy Policy | Terms of Use
x

Check Also

Terminated Iowa Firefighter Alleges Due Process Violation

A volunteer firefighter in Iowa who was terminated last year, has filed suit pro se in US District Court for the District of Iowa claiming a violation of his Fourteenth Amendment rights. Paul Anthony Reed, Sr. filed suit today naming the City of West Liberty, the West Liberty Fire Department, the mayor, city manager, fire chief and assistant chief.

Court Dismisses Illinois Firefighter’s Civil Rights Suit Against Arson Investigator

The US District Court for the Northern District of Illinois has dismissed a lawsuit accusing an arson investigator of fabricating evidence and violating an arson suspect’s civil rights. The suit was brought by a firefighter who claims he and the investigator had a history that led to the arson charges being brought.