Claims of “negligence” are often raised in lawsuits. DataBreaches is not a lawyer, of course, but wonders whether by now, we should consider a plastic surgeon “negligent” in their data security if they store nude photos of their patients with patient names and identity information in plain text and no strong encryption or suitable alternative with access controls.
What do you think?
Over the past decade, DataBreaches has reported on cyberattacks targeting plastic surgery clinics and practices by financially motivated threat actors who leak the patients’ nude photos and sensitive information when their targets do not pay their demands. Some threat actors not only post nude photos and files on the internet, but they reach out to patients directly — and then to their colleagues and family and friends — to pressure patients to pay them to remove their data.
Regardless of what adjectives we use to describe the attackers (“heartless b*stards” may spring immediately to your mind), what adjectives do we use to describe the doctors and clinics that failed to adequately secure patient data? Do we just consider them unlucky or do we hold them accountable because they should have expected to be attacked and have had better protections in place for ePHI?
While plaintiffs may allege negligence — that practitioners should have foreseen that an attack was not just possible but likely — defendants may try to claim that there was no negligence.
The litigation against Hankins & Sohn Plastic Surgery Associates provides a useful example. Hankins & Sohn was attacked in February, 2023. They notified their patients in March and April. Threat actors subsequently created a leak site with nude photos, personal information, and medical records of named patients, and the information on the leak site was indexed by Google. 8NewsNow had a write-up about the attack and aftermath.
A class action lawsuit was subsequently consolidated in Nevada District Court: Tausinga v. Hankins & Sohn Plastic Surgery Associates et al, 2:2023cv00824. The first cause of action in the second amended complaint is negligence, with plaintiffs noting the healthcare provider’s obligations under the FTC Act, HIPAA, and state laws. While there is no private cause of action under HIPAA, its regulations under the Security Rule are often cited as setting the industry standard for regulated entities such as medical practices and surgeries.
In the defendants’ motion to dismiss the second amended complaint, counsel for Hankins & Sohn claims:
(2) the Practice was not negligent in that it implemented reasonable security measures to safeguard Plaintiffs’ personal identifiable information (PII) and privileged health information (PHI) and had no prior notice of the data breach, which was not foreseeable to the practice and, therefore, the negligence and negligent misrepresentation causes of action asserted are without merit;
Not foreseeable? With all the warnings that had been posted by then about attacks on the healthcare sector and the high value of sensitive medical information on the dark web markets? Not forseeable when this site had already reported breaches and extortion attempts in the EU and U.S. involving patient data and plastic surgery patients’ data?
Counsel for Hankins & Sohn dismisses those types of considerations:
Plaintiffs’ claim that such an attack was foreseeable merely because of numerous other cyberattacks occurring throughout the country lacks merit and defies credulity. See ECF No. 75 at ¶¶39-45, ¶149, ¶184, ¶186. In short, Plaintiffs’ Second Amended Complaint does not contain any factual allegations to plausibly support a conclusion that the Practice failed to implement reasonable security measures, and that it had any reason to be on guard for this unexpected criminal cyberattack, which occurred despite the practice’s diligent efforts to prevent it. Moreover, Plaintiffs failed to plead their negligent misrepresentation claim with particularity, as required by FRCP 9(b). Because Plaintiffs have failed to justify their conclusory allegation of foreseeability of the data breach to support their negligence claims, those claims fail to establish the required elements and should be dismissed.
By 2023, HHS had spent years reminding regulated entities that they needed to perform risk assessments that identified ePHI and addressed the risks identified in the risk assessment with technical, administrative, and physical safeguards. Did Hankins & Sohn perform — and annually update and review — a comprehensive risk assessment for their ePHI and patient PHI? What safeguards did they identify and deploy as appropriate and sufficient for such sensitive data? What suitable alternative to encryption did they deploy if they decided that encryption could not be used? And what safeguards did they put in place to prevent an employee from falling prey to a phishing attack that would give attackers access to the network?
The above are not accusations. They are genuine questions. The litigation is not at the discovery stage so those are just answered questions at this point.
But while the case proceeds, sensitive patient data is still exposed on the internet for anyone to find. Assuming that they tried to get it removed while refusing to pay extortion demands, Hankins & Sohn have apparently been unable to get the current leak site removed.
To make matters worse for their patients, the threat actors inform DataBreaches that have their own schedule and plan.
The threat actors, who are the same threat actors that subsequently attacked at least two other plastic surgeons — Gary Motykie, M.D. and Jaime Schwartz, M.D. — plan to update their Hankins & Sohn leak site soon. In recent email communications, they commented on the Hankins & Sohn matter:
Remarkable people (Schwartz and Hankins with Sohn) — everything can be resolved for relatively small amounts compared to their losses.But apparently, their stubborn faith in personal attorneys is their paradigm.
Right now, we are working on publishing absolutely all clients of Hankins and Sohn — there are over 10,000 of them. The format will be somewhat different, but the files of all the clients we extracted at the time of the incident will be made publicly available.
We are currently working on a convenient format for accessing the files.
Since they are stubborn, we will continue moving forward in our own way.
On inquiry, the spokesperson for the group clarified that they hadn’t had any contact with Hankins & Sohn “for a very long time. They’re aware of the site, and our email is listed there in case they want to request the removal of their data from public access…. if they’re willing, we can still come to an agreement.”
As for the initial access — it was simple: a document was sent, and their employee opened it. The rest was our technical process.Anyway, soon we’ll be publishing all the clients, along with an easy guide on how to access and download the files. In our opinion, the lawyers are going to have a feast — and as for Hankins & Sohn, we don’t care anymore. Let their clients protest at the clinic and demand the site be shut down.