A class action lawsuit in Maryland is targeting Johns Hopkins University after its associated health system was subjected to a data breach in late May.
The university system is being blamed for exposing personal health information and personally identifiable data like health information and social security numbers, according to a July 7 filing in Maryland’s federal district court.
“The total number of individuals who have had their data exposed due to Johns Hopkins’s failure to implement appropriate security safeguards is unknown at this time but is estimated to be in the tens/hundreds of thousands based on Johns Hopkins’s clientele,” the filing said.
A patient named Pamela Hunter was listed as the plaintiff in one of at least three class action lawsuits against the system. The lawsuit said Hunter wasn’t aware of a data breach or that the teaching hospital possessed the Baltimore County resident’s data.
Hunter received a letter about the potential data breach on June 24, according to the filing.
“Plaintiff and the Class Members remain, even today, in the dark regarding what data was stolen, the particular malware used, and what steps are being taken to secure their PHI/PII and financial information going forward,” the lawsuit said.
After the data breach of the university and health system’s MOVEit software, which impacted other major agencies and entities, the school said it began investigating and securing private data.
“Until we know more, we strongly urge all students, faculty and staff — as well as dependents — to take immediate steps to protect your personal information as a precautionary measure,” the system said.
Hopkins said it will let those impacted by the breach know more as its investigation continues, and the university will provide resources like credit monitoring services to those impacted by the breach.
A HIPAA rule currently requires notice within 60 days of a discovered breach of protected health information. That notice must include information about what data was breached, guidance for potential victims to protect their data, a description of what is being done to investigate, mitigate and prevent breaches and contact information for the entity.
Johns Hopkins made this information available on a dedicated website for those seeking more information.
“We took immediate action to secure our systems and are working closely with cybersecurity experts and law enforcement to determine what information was compromised,” the organization said. “The attack has had no negative impact on the operations of either Johns Hopkins University or the Johns Hopkins Health System.”
Johns Hopkins University has not shared a public statement or filed a response to the class action complaint.