NY-Based Empress EMS Ambulance Service Faces Multiple Data Breach Lawsuits

Multiple class action lawsuits have been filed against Empress EMS, the New York ambulance service, following a ransomware attack discovered on July 14, 2022. The HIVE ransomware gang has claimed responsibility for the attack. 

According to the breach notification issued by Empress EMS, hackers from HIVE gained access to the network, stole files containing sensitive patient information, and then encrypted the files to prevent access. The information collected by the threat actors included full names, birth dates, demographic information, diagnoses, treatment information, medical record numbers, dates of service, prescription information, insurance information, and even Social Security numbers for an unlucky subset of patients. Some of the stolen sensitive information was subsequently published to Hive ransomware’s data leak site. However, some of the data was immediately removed, indicating that Empress EMS fulfilled the ransomware demands. According to the breach investigation, the ransomware gang initially accessed the network on or about May 26, 2022. On September 9, 2022, letters of notification were delivered to all who were impacted. Up to 318,558 people may have been impacted, according to information provided to the HHS Office for Civil Rights. Free credit monitoring services were made available to anyone whose Social Security numbers had been compromised. 

The most recent legal action, filed in Manhattan Federal court on behalf of the plaintiff Robert D’Agostini and other parties in a comparable situation, accuses defendants of negligence for failing to adequately protect patient data, breaching an implied contract, and breaking New York General Business Law. In addition, the complaint claims that Empress EMS violated HIPAA. The lawsuit raises concerns about how long it took Empress EMS to discover the intrusion—nearly 2 months—and how long it took to inform those who were impacted—more than 7 weeks. According to the lawsuit, Empress EMS issued notifications with an unreasonable delay. It should be noted, however, that HIPAA stipulates that notifications must be delivered without an undue delay and grants regulated entities a maximum of 60 days from the day a data breach is discovered to make notifications. 

The lawsuit claims that the plaintiffs and class members’ privacy rights have been breached, their protected health information has been compromised by hackers, their PHI has been made public, and they are now and presently at danger of fraud and identity theft. The case seeks class action status, a jury trial, actual damages, treble damages, and punitive penalties. The lawsuit is one of at least 4 grievances that Empress EMS has faced as a result of the data leak.