More coverage of a lawsuit against BST, a CPA firm that is a business associate of Community Care Physicians. BST had been attacked by Maze ransomware, and when they did not pay the demanded ransom, the ransomware operators started dumping some of the data to increase pressure on them. Now patients of Community Care Physicians seek class action status– not against the medical practice, though — just against the business associate.
Marianne Kolbasuk McGee reports:
A proposed class action lawsuit filed against an accounting firm in the wake of a 2019 ransomware incident that allegedly exposed patient information serves as the latest reminder of the security and privacy risks posed by vendors.
In the lawsuit filed on May 27 in the New York state supreme court, lead plaintiff Elmer Keach – a patient of Community Care Physicians, a large multispecialty medical group in update New York – alleges, among other claims, that accounting firm BST & Co. CPAs LLC was “negligent and reckless” in protecting CCP’s patient information from “unauthorized intrusions.” (See Hacking of Accounting Firm Affects Medical Group).
Read more on GovInfoSecurity. Although this article mentions that CCP has not yet shown up with any report on HHS’s public breach tool, I would point out that under the law, they did not need to submit a report to HHS if their business associate did and BST *did* report the incident to HHS. It’s just not possible from BST’s entry on the breach tool to know how many of the 170,000 are CCP patients, as BST may have had other covered entities as clients who were also affected. I suspect we will find out more after discovery if this case doesn’t settle.