FILE - Computer servers ransomware

(The Center Square) – A class-action lawsuit seeking $99 million in damages has been lodged against a Tampa-based health care provider for alleged negligence in a ransomware breach of patient and employee records.

Morgan & Morgan law firm’s June 30 lawsuit claims Florida Orthopaedic Institute failed to properly secure the records of 100,000 to 150,000 current and former patients exposed in an April ransomware attack.

Orlando-based Morgan & Morgan filed the claim days after UnityPoint Health agreed to pay $2.8 million in a preliminary settlement of a similar ransomware-related negligence lawsuit after a data breach in Iowa.

Florida Orthopaedic Institute said last month an April 9 ransomware attack encrypted data stored on its servers.

Florida Orthopaedic Institute said “personal information affected … may have included names, dates of birth, Social Security numbers, medical information related to appointment times, physician locations, diagnosis codes, payment amounts, insurance plan identification numbers, payer identification numbers, claims addresses, and/or FOI claims history.”

Morgan & Morgan’s suit against Musculoskeletal Institute, which operates Florida Orthopaedic Institute, alleges its "lackadaisical, cavalier, reckless, or in the very least, negligent" actions “resulted in the exposure of (records of) at least 100,000 patients and potentially in excess of 150,000 current and former patients.”

"As a result of defendant's failure to implement and follow basic security procedures,” those records are now “in the hands of thieves and unknown criminals," the lawsuit states.

As is typical in ransomware incidents involving corporations and private businesses, Florida Orthopaedic Institute has not revealed whether it paid money, usually bitcoin, to unlock its data, but acknowledged it was a ransomware victim.

Ransomware attacks against municipalities, government agencies and utilities are public record. At least four Florida cities, a sheriff’s department and a police department suffered ransomware attacks in 2019.

According to New Zealand-based global anti-malware company Emsisoft, however, ransomware attacks against private entities are underreported, with hackers extorting $1.4 billion from U.S. businesses in 2019, usually in what are acknowledged as “data breaches.”

“And that $1.4 billion is only the tip of the iceberg as it is only the demands paid,” Emsisoft threat analyst Brett Callow said. “Factor in a very low estimate for downtime and the cost increases to a little under $10 billion. And, again, that still doesn’t provide a complete picture. There’s the cost of lost business opportunities, lost IP, lawsuits and a myriad of other expenses that we didn’t even attempt to estimate.”

The Iowa lawsuit against UnityPoint Health and Morgan & Morgan’s legal challenge could unseal exactly how pervasive ransomware is nationwide.

"Ransomware attacks are now very often ‘data breaches’ and, as such, expose impacted entities to a myriad of potential legal problems in addition to the usual problems of reputational damage, business interruption and data loss," Callow told Information Security Media Group's HealthcareInfoSecurity.com.

According to the U.S. Department of Health and Human Services (DHHS), in June alone, one Florida health plan and five health care providers reported data breaches, affecting records of more than 180,000 policyholders, patients and employees.

The DHS Office of Civil Rights' HIPAA Breach Reporting Tool, which documents health data breaches affecting at least 500 people, cites the breach of 150,000 patients’ data at four Magellan Health affiliates and 28,268 records at Miami-based Cano Health.

An April 9 “hacking/IT incident” breached eight Arizona-based Magellan Health affiliates nationwide, exposing data on 365,000 patients and employees.

The Magellan breach included records of more than 150,000 Floridians employed and enrolled in Magellan Complete Care of Florida (76,236 records), UF Health Jacksonville (54,002), UF Health Shands (13,146) and UF Health (9,182).

According to Magellan, hackers used an email phishing scheme and malware to access and “exfiltrate,” or “withdraw surreptitiously,” patients’ data, as well as workers’ and contractors’ Social Security numbers, W-2 information and employee ID numbers, five days before launching its ransomware attack.

At least 66 health care providers have reported malware, ransomware and phishing attacks this year, according to Beckers Hospital Review, although its listing does not include Cano Health’s breach, nor the hack of 63,581 patients' records at NCH Healthcare System in Naples.