A New London woman has brought a class-action lawsuit against the University of Connecticut and UConn Health over a data breach that she says led to her identity being stolen and fraudulent activity occurring with her bank account.
On Feb. 22, UConn Health announced that a third party had accessed a limited number of employee email accounts, which led to the exposure of personal information for 326,000 UConn Health patients.
According to UConn Health, the information included some individuals’ names, birth dates, addresses, and limited medical information, such as billing and appointment details.The Social Security numbers for approximately 1,500 people also were compromised.
The lawsuit, brought by Yoselin Martinez, faults UConn for failing to implement “adequate and reasonable cybersecurity procedures and protocols” to prevent “phishing” attacks such as the one that led to the data breach. The lawsuit also faults UConn for not detecting the breach sooner than it did, and for not notifying patients until nearly two months later.
The lawsuit says that UConn officials have said publicly that the information was first compromised in August 2018. UConn said in its Feb. 22 statement that it learned on Dec. 24 that the compromised accounts contained some sensitive patient information. UConn said it didn’t know for certain whether any personal information was ever viewed or acquired by an unauthorized party, nor was it aware of any instances of fraud or identity theft as a result of the incident.
According to the lawsuit, shortly after receiving notice from UConn Health, Martinez checked her bank account and found that it had gone into overdraft. After talking with a bank representative, she learned that there had been a fraudulent transaction on her account.
The lawsuit says that in addition to the fraudulent transaction, Martinez will be further harmed by remaining at a heightened risk for financial fraud and identity theft for years to come.
The lawsuit described the ongoing inconvenience that the breach poses to Martinez and other potential class-action plaintiffs, saying they’ve been required to “take the time which they otherwise would have dedicated to other life demands such as work and family in an effort to mitigate the actual and potential impact of the data breach on their lives.”
Those efforts include placing freezes or alerts with credit reporting agencies, contacting financial institutions, closing or modifying financial accounts, closely reviewing and monitoring credit reports and accounts for unauthorized activity, and filing police reports, the lawsuit says.
The lawsuit also faults UConn Health for not offering to provide impacted patients with “any assistance or meaningful compensation for the costs and burdens” resulting from the breach.
On Feb. 22, UConn Health said it included for patients information on steps they could take to protect themselves against potential fraud or identity theft. It also said it was offering free identity theft protection services to individuals whose Social Security numbers were compromised.
UConn Health spokesman Delker Vardilos said Wednesday that UConn Health wouldn’t comment on the pending litigation, nor would he say how many lawsuits have been brought as a result of the breach thus far.
He wouldn’t state when UConn Health learned of the data breach, only saying that once UConn Health learned of the breach, it hired a “leading forensic security firm.” After conducting a “thorough search” of the contents of the compromised email accounts, it determined on Dec. 24 that some of the accounts contained personal information.
“We immediately began identifying potentially impacted individuals and then had to confirm mailing addresses to notify those individuals,” he said. “As soon as we could determine what personal information was involved and could confirm mailing addresses, we began notification.”
Martinez is seeking a mandatory injunction from the court directing UConn Health to “adequately safeguard” the personal data of the potential class members of the lawsuit, as well as damages, costs and expenses, and attorneys’ fees.