Consumer Electronics Daily was a Warren News publication.
'Foreseeable Consequences'

Data Breach Was 'Known Risk' to Pa. Medical Firm, Says Negligence Suit

June 29, 2023 by Rebecca Day|Top News

The personal information of over 181,000 individuals was compromised in a hacking incident due to data security failures at Great Valley Cardiology, alleged a class action (docket 3:23-cv-01050) Friday in U.S. District Court for Middle Pennsylvania in Scranton.

Great Valley’s data breach occurred April 13, but it didn’t begin notifying those affected by the breach until June 12, said plaintiff Robert Schulte, a Pennsylvania resident. The defendant’s data security failures allowed a targeted cyberattack from February to April to compromise its network that contained personally identifiable information and protected health information of Schulte and the class, it said.

Private information was a “known risk” to Great Valley. It wasn't the health service provider’s first data breach, and the defendant was “on notice” that failing to do what's necessary to secure private information “left that property in a dangerous condition,” said the complaint.

The health services company disregarded Schulte’s rights by “intentionally, willfully, recklessly, and/or negligently failing to take adequate reasonable measures” to ensure its data systems protected against unauthorized intrusions; failing to disclose it didn’t have robust computer systems and security practices to safeguard his private information; failing to take standard and “reasonably available steps” to prevent the data breach; and failing to provide plaintiff and class members with prompt and full notice of the breach, said the complaint.

If Great Valley monitored its computer network and systems properly, “it would have discovered the intrusion sooner rather than allowing cybercriminals a period of unimpeded access” to plaintiff’s and class members’ information, the complaint said. Due to defendant’s “negligent conduct,” Schulte’s and class members’ identities are at risk because their private information held by Great Valley “is now in the hand of data thieves,” it said.

Due to the breach and the “foreseeable consequences” of private information ending up in the possession of criminals, the risk of identity theft to Schulte and class members “has materialized and is imminent,” said the complaint. They have sustained actual injuries and damages such as invasion of privacy; out-of-pocket costs; loss of time and productivity; loss of time due to increased spam and targeted marketing emails; loss of benefit of the bargain; diminution of value of their private information; and continued risk to their private information, it said.

Schulte asserts claims of negligence, breach of fiduciary duty, breach of confidences and violation of Pennsylvania’s Unfair Trade Practices and Consumer Protection Law. He seeks on behalf of himself and the class compensatory, statutory, treble and/or punitive damages; an order of restitution and disgorgement, declaratory and injunctive relief and reasonable attorneys’ fees, costs and expenses.