The lawsuit filed last week in Lackawanna County Court names as defendants Commonwealth Health Physician Network, also known as Great Valley Cardiology or GVC, and Scranton Cardiovascular Physician Services LLC.
Commonwealth Health announced June 12 that hackers had breached GVC's computer network and potentially obtained the private information of 181,764 patients and others. The breach first occurred Feb. 2 but wasn't discovered until April 13, the health system said.
It was the latest in a series of data breaches involving medical providers in Northeast Pennsylvania.
A notice GVC published on its website said the impacted files contained sensitive data about current and former patients, including names, Social Security numbers, credit card and banking numbers, and medical information, according to the lawsuit filed on behalf of the lead plaintiff, Michele Jarrow of Olyphant.
The lawsuit, filed by Radnor attorney Andrew W. Ferich, said the breach was a direct result of GVC's failure to implement "adequate and reasonable" procedures to protect the information from the foreseeable threat of a cyberattack.
The injury to Jarrow and other class members was compounded when GVC did not alert patients their personal information was subject to unauthorized access until June 12, nearly two months after the discovery of the breach, the complaint said.
"GVC's failure to timely notify the victims of its data breach meant that plaintiff and class members were unable to immediately take affirmative measures to prevent or mitigate the resulting harm," the suit said.
The complaint alleged Jarrow has already suffered harm from the breach, having received notification from the McAfee computer security software service that her information was found on the dark web.
"Once personal information is exposed, there is virtually no way to ensure that the exposed information has been fully recovered or contained against future misuse," the suit said. "For this reason ... Jarrow will need to maintain heightened measures for years, and possibly her entire life."
Commonwealth Health spokeswoman Annmarie Poslock said it is the health system's practice not to comment on litigation.
In publicly acknowledging the breach earlier this month, Commonwealth Health said it needed two months after the breach's discovery in April to conduct a forensic audit to identify everyone whose information was potentially compromised.
The lawsuit seeks damages on multiple counts, including negligence, breach of fiduciary duty, breach of contract and unjust enrichment.
© 2023 The Citizens' Voice (Wilkes-Barre, Pa.). Distributed by Tribune Content Agency, LLC.
