Remember the LifeBridge malware incident disclosed earlier this year where more than 500,000 patients were notified of a malware incident that had been discovered in March, 2018? LifeBridge’s notification indicated that their investigation had revealed that an unauthorized person had accessed the server in 2016. It wasn’t totally clear to me at the time whether the 2016 access was directly linked to a malware infection discovered in 2018 or if it was just a finding.
Not surprisingly, LifeBridge has been sued over the breach, all with the expected fanfare and lawyer-issued press release. That press release makes some interesting claims about the incident, which we must obviously view as unproven claims at this point:
Hackers accessed LifeBridge’s servers through one of its physician practices and installed malware on a server that hosted LifeBridge’s electronic medical records, patient registration, and billing systems. Unbelievably, LifeBridge failed to discover the data breach until approximately March 28, 2018—eighteen months later—allowing the cybercriminals to freely roam its systems during that lengthy period of time. LifeBridge then inexplicably waited nearly two months before disclosing the breach to its patients.
What I’m not seeing in their press release is any claim that illustrates specific harm any patient experienced. Yes, personal and medical information was stolen. But will this lawsuit go the way of so many others and be dismissed for lack of standing in the absence of any demonstration of actual concrete harm? I don’t know Maryland law at all, so I’ll be watching this one.