Consumer Electronics Daily was a Warren News publication.
Notifications Took 6 Months

Class Action Alleges Northwell Covered Up Breach Exposing Records of 3.9M Patients

November 24, 2023 by Paul Gluckman|Top News

Malicious actors accessed personal records of 3.9 million current and former Northwell Health patients between March 27 and May 2, but Northwell and its record-keeping vendor, Perry Johnson & Associates, kept the data breach hidden from the public until Nov. 3, alleged plaintiff Crystal Brewster’s class action Monday (docket 1:23-cv-08627) in U.S. District Court for Eastern New York in Brooklyn. Northwell runs 20 hospitals and more than 800 outpatient facilities in the New York area.

The records exposed in the breach include “some of the most sensitive types of data that cybercriminals seek in order to commit fraud and identity theft,” said the complaint. According to Northwell, information exposed in the breach includes names, dates of birth, addresses, medical record numbers, hospital account numbers, admission diagnoses, dates and times of service and other clinical data.

Armed with personal information accessed in the breach, the criminals could “commit a variety of crimes," including taking out loans in class members’ names, or using their health information “to target other phishing and hacking intrusions,” said the complaint. Northwell and its vendor “owed a non-delegable duty” to Brewster and her class members “to implement and maintain reasonable and adequate security measures” to safeguard their personal information “against unauthorized access and disclosure,” it said.

The class action “seeks to remedy these failings and their consequences,” said the complaint. As a result of the breach, Brewster and her class members “have been exposed to a heightened and imminent risk of medical and financial fraud and identity theft,” said the complaint. She and the class members “must now and in the future closely monitor their financial accounts and medical information to guard against identity theft,” it said.

The complaint seeks compensatory and punitive damages, plus reimbursement of out-of-pocket costs and “adequate credit monitoring services” funded by Northwell and its vendor. It also seeks injunctive relief, including improvements to Northwell's data security system, plus future annual audits. The class action asserts claims for negligence, negligence per se, breach of fiduciary duty, breach of implied contract and unjust enrichment.

Two additional class actions against Northwell and its vendor were filed Tuesday in different jurisdictions, both asserting the same allegations as the first class action in Brooklyn. Plaintiff Linda Kaufman brought her class action (docket 2:23-cv-01935) in U.S. District Court for Nevada in Las Vegas. Another plaintiff, Amanda Marconi, filed her complaint (docket 2:23-cv-08638) in U.S. District Court for Eastern New York in Central Islip. Northwell's two largest hospitals are based in Queens and in Manhasset, New York.