Pennsylvania Health System Sued Over Data Breach Affecting 461,000 Patients

Pennsylvania Health System Sued Over Data Breach Affecting 461,000 Patients
Maternal and Family Health Services Inc. website has an online explanation of the data breach, March 21, 2023. Beth Brelje/The Epoch Times
Beth Brelje
Updated:
0:00

A healthcare system with services in 17 Pennsylvania counties says a ransomware incident last year allowed unknown actors to access sensitive patient information such as Social Security numbers, medical records, and health insurance information.

Wilkes-Barre-based Maternal and Family Health Services Inc. (MFHS) discovered the breach on April 4, 2022.

The sensitive patient information that could have been accessed also included dates of birth, patient account numbers, and driver’s license numbers, as well as payment and financial account information.

An investigation found unknown actors gained unauthorized access to the organization’s systems between Aug. 21, 2021, and April 4, 2022, according to the MFHS website.

“The data breach was wide-reaching and compromised the personal information of at least 461,000 patients,” according to legal papers referencing a submission MFHS made to the U.S. Secretary of Health and Human Services at the Office for Civil Rights.

But MFHS didn’t start notifying patients until nine months later in a Jan. 3, 2023, letter.

“Maternal and Family Health Services experienced a ransomware incident. During the typical ransomware incidents, cyber criminals try to lock an organization’s digital files in an attempt to get paid for digital key to unlock the files. We promptly launched an investigation, engaged a National Cybersecurity firm to assist in assessing the scope of the incident, and took steps to mitigate the potential impact to our community,” the letter said.

“Please note that there is no evidence at this time that any of your personal information has been misused as a result of this incident.”

Identity Theft Claim

Chris Izquierdo of Scranton says she is a victim of identity theft due to the data breach. Izquierdo is the lead plaintiff in a newly filed class action case in the Middle District of Pennsylvania, seeking damages and future protection from identity theft for those affected.

A complaint filed this month says MFHA downplayed the seriousness of the breach.

Since the Data Breach, Izquierdo has learned of at least five fraudulent credit card accounts being opened in her name, court papers say. Opening these accounts would have required knowledge of her personal information, such as name, date of birth, and Social Security number.

Her credit score has decreased because the fraudulent accounts have outstanding balances and are accruing interest charges she is asked to pay. A utility service account has been opened using her information in Florida, where she has never lived.

Medical data is particularly valuable, according to the court filing, because criminals can use it to target victims with scams that take advantage of the victim’s medical conditions or settlements. It can be used to create fake insurance claims, allowing for the purchase and resale of medical equipment, or the information can be used to get prescriptions for illegal use or resale.

The theft can lead to inaccurate medical records, which could lead to misdiagnosis.

The Epoch Times asked MFHS for comment, but it did not respond by the time of publication.

Beth Brelje
Beth Brelje
Reporter
Beth Brelje is a former reporter with The Epoch Times. Ms. Brelje previously worked in radio for 20 years and after moving to print, worked at Pocono Record and Reading Eagle.
Related Topics