Keystone Health Faces Lawsuit Over Healthcare Data Breach

October 31, 2022 - Pennsylvania-based Keystone Health is facing a class action lawsuit over a 2022 data breach that impacted more than 235,000 individuals.

As previously reported, Keystone Health discovered a security incident on August 19, 2022, and later determined that an unauthorized party had accessed files within its system between July 28 and August 19.

The files contained patient names, clinical information, and Social Security numbers. Keystone mailed letters to impacted individuals and offered credit monitoring services to those who were eligible.

In a lawsuit filed shortly after patients were notified of the breach, the plaintiff’s legal team alleged that Keystone Health failed to implement reasonable security procedures to protect sensitive information.

“By obtaining, collecting, using, and deriving a benefit from Plaintiff’s and Class Members’ Private Information, Defendant assumed legal and equitable duties and knew or should have known that it was responsible to protect Plaintiff’s and Class Members’ Private Information from unauthorized disclosure,” the complaint suggested.

Specifically, the lawsuit alleged that Keystone failed to comply with industry standards, Federal Trade Commission (FTC) guidelines, and HIPAA compliance requirements. It is important to note that these allegations have not been proven in court, and it is common to see lawsuits come up in the aftermath of a breach.

Managing the legal risks of a healthcare data breach can be difficult. Even with advanced security tools, organizations can still be targeted by cyber threat actors.

HIPAA-covered entities should pay close attention to state and federal breach notification requirements, document security and privacy practices, and implement a robust cyber incident response plan to mitigate legal and operational risks.