‘Cybercriminals’ stole patient, employee data at Lexington Medical Center, lawsuit alleges

Cybercriminal hackers breached secure defenses at Lexington Medical Center and made off with patient and employee data, according to a lawsuit filed Thursday, Feb. 29, in federal court in Columbia.

The 32-page lawsuit was filed by Michelle Sutherland, who identifies herself as a citizen of Lexington and a former patient at Lexington Medical Center in West Columbia.

The records of as many as 1.7 million employees or patients at Lexington Medical Center may have been compromised, the lawsuit alleged.

The lawsuit seeks class action status. A judge must grant that status, which would allow for other, similar lawsuits filed against Lexington Medical Center to be grouped together and tried as a whole. So far, Sutherland’s appears to be the first.

A hospital spokeswoman had no immediate comment.

As required by South Carolina law when data breach at large companies occur, Lexington Medical Center filed a public notice of the breach on Feb. 12 with the S.C. Department of Consumer Affairs. I

That public notice said one Lexington Medical Center employee’s email account and an individual data drive had been breached on Oct. 4. The hospital then did an “extensive forensic investigation and manual document review” and discovered that the employee’s email account and associated individual drive contained Personal Identifiable Information and Protected Health Information, the public notice said.

Lexington Medical Center’s Feb. 12 public notice said their breach affected 1,942 South Carolina residents and did not contain the 1.7 million number of potentially affected individuals that the lawsuit claims. The lawsuit gave as its source for its figure a Feb. 20 article in a digital medical newsletter called Medriva.

The public notice also apologized for the breach. “We are committed to maintaining the privacy of personal information in our possession and have taken many precautions to safeguard it. We continually evaluate and modify our practices and internal controls to enhance the security and privacy of your personal information,” the notice said.

Lexington Medical Center employs more than 8,000 people and is one of the Midlands’ largest hospital-medical systems. It has a teaching hospital, five medical centers, seventy doctors’ offices, an emergency room, an occupational health center, and a specialized care center for Alzheimer’s patients. It also treats 100,000 patients per year and performs 25,000 surgeries annually, according to the lawsuit.

“As part of its normal operations, Lexington Medical Center collects, maintains, and stores large volumes of private information belonging to its current and former patients,” the lawsuit said.

“Current and former patients of Lexington Medical Center, such as Plaintiff and Class members, made their private information available to LMC with the reasonable expectation that any entity with access to this information would keep that sensitive and personal information confidential and secure from illegal and unauthorized access,” the lawsuit said.

Delays in notifying people whose information may have been compromised “virtually ensured that the cybercriminals ... could monetize, misuse and/or disseminate” the private information, the lawsuit said.

As a result, identities and other personal information of individuals in Lexington Medical Center’s database may have already been stolen, the lawsuit said.

“They face the real, immediate, and likely danger of identity theft and misuse of their private information. And this can, and in some circumstances already has, caused irreparable harm to their personal, financial, reputational, and future well-being,” the lawsuit said.

Stolen personal information is “routinely traded on dark web black markets as a simple commodity, with social security numbers being so ubiquitous to be sold at as little as $2.99 apiece and passports retailing for as little as $15 apiece... Criminals and other unsavory groups can fraudulently take out loans under the victim’s name, open new lines of credit, and cause other serious financial difficulties for victims,” the lawsuit said.

Stolen medical records can command prices on the internet’s dark web of from $250 to $1,000 each, the lawsuit said. “Medical records are considered the most valuable because unlike credit cards, which can easily be canceled, and Social Security numbers, which can be changed, medical records contain” a patient’s medical history and health insurance information, the lawsuit said.

Lawyers for Sutherland include members of a Chicago law firm, Cafferty Clobes Meriwether & Sprengel, as well as Columbia attorneys Jim Griffin, Margaret Fox and Badge Humphries.

The lawsuit does not ask for specific damages but says “the matter in controversy exceeds the sum of $5 million.”

The federal judge assigned to the case is U.S. Judge Sherri Lydon.