Johns Hopkins University and Johns Hopkins Health System are facing lawsuits over a recent data breach that occurred through the popular MOVEit file transfer application. The breach exposed the protected health information (PHI) of numerous patients, leading to concerns regarding the institutions’ failure to adequately secure sensitive data.
Although the investigation into the data breach is still ongoing, Johns Hopkins has confirmed that the stolen information includes individuals’ names, addresses, dates of birth, and Social Security numbers. However, the exact number of impacted staff members, students, and patients has not yet been disclosed. This lack of transparency has fueled the frustration among the victims and has prompted them to take legal action.
Two lawsuits have been filed against Johns Hopkins, alleging that the institutions either intentionally or negligently failed to implement adequate measures to safeguard PHI. The plaintiffs argue that the defendants did not follow the required protocols and policies regarding data encryption, even for internal use. They also claim that Johns Hopkins violated the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule by delaying breach notifications without sufficient justification.
The first lawsuit additionally accuses Johns Hopkins of failing to adequately secure the data of potentially hundreds of thousands of individuals. The plaintiffs argue that the breach has resulted in significant harm, including potential identity theft and financial fraud. They contend that the victims have had to spend time and money protecting their stolen data from fraudulent activities.
The second lawsuit raises similar concerns and accuses Johns Hopkins of negligence, breach of fiduciary duty, breach of confidence, intrusion upon seclusion/invasion of privacy, breach of implied contract, and unjust enrichment. Both lawsuits seek damages and injunctive relief for the affected individuals.
The outcome of these lawsuits is likely to depend on whether the plaintiffs can demonstrate concrete injuries resulting from the breach. Proving a connection between the breach and specific harm suffered by the victims will be crucial in determining the defendants’ liability. If the plaintiffs can establish a causal link, Johns Hopkins may face significant legal and financial consequences.
This incident raises broader questions about data security and the importance of safeguarding sensitive information, particularly in the healthcare sector. With the increasing prevalence of cyberattacks targeting personal and medical data, organizations must take proactive measures to protect against breaches. Failure to do so not only exposes individuals to potential harm but also leaves institutions vulnerable to legal action and reputational damage.
As the investigation into the MOVEit data breach continues, it remains critical for all organizations to prioritize cybersecurity measures and ensure the secure handling of personal and sensitive data. Safeguarding individuals’ privacy, security, and fundamental rights should always be a top priority when collecting, storing, and transmitting any form of personal information. By implementing robust security protocols and staying vigilant against evolving cyber threats, organizations can protect themselves and their stakeholders from the potentially devastating impacts of data breaches.