The
Medical College of Wisconsin (MCW) is being sued by a Greenfield man following a data breach that occurred last year and led to thousands of customers having their private health and personal data stolen.
MCW and Burlington, Massachusetts-based
Progress Software Corp. are named as defendants in the class action complaint, which was filed last week in U.S. District Court for the Eastern District of Wisconsin.
Roger Winstanley filed the lawsuit on behalf of himself and other MCW customers who may have been affected by the data breach. He alleges MCW failed to properly secure private health information including customers’ names, birth dates, social security numbers, medical records and more.
An online notice posted by MCW last November informed customers the company had been notified by a third-party vendor of a security vulnerability within the MOVEit transfer platform. MCW uses PSC’s MOVEit software to store patient files. On Sept. 21, 2023, MCW learned private customer information had been accessed and “potentially removed by an unauthorized party” on May 27, 2023.
An IT incident report submitted to the U.S. Department of Health and Human Services Office for Civil Rights states 240,667 people were affected by the cyberattack.
"PSC stored, maintained, and/or hosted plaintiff and class members’ private information on its MOVEit transfer services software that was negligently and/or recklessly configured and maintained," according to the lawsuit.
The lawsuit also alleges MCW "negligently chose to utilize PSC’s MOVEit software" to store and transfer private information despite the platform containing security vulnerabilities.
The cyberattack was carried out by the Russian cybergang Clop, court documents show. The organization is made up of hackers who sell unencrypted and unredacted private information to criminals on the dark web.
Personal information can be sold at prices ranging from $40 to $200, court documents show. Criminals can also purchase access to entire company data breaches from $900 to $4,500. Clop recently carried out similar attacks against file transfer companies including Accellion and Fortra.
"(Affected customers) now face a current and ongoing risk of identity theft, which is heightened here by the loss of social security numbers – the gold prize for identity thieves," according to the complaint.
"MCW has no evidence that any personal information has been or will be misused as a direct result of this incident," according to a statement from MCW in November. "However, out of abundance of caution, commencing on November 14, 2023, MCW notified individuals whose information may have been included in the files potentially removed by the unauthorized party."
MCW said it “continually evaluates and modifies" its cybersecurity practices to bolster the security and privacy of the personal information it maintains.
The lawsuit seeks to recover monetary damages for impacted customers and to require MCW to implement, maintain and regularly review a threat management program designed to monitor the company’s IT networks. The financial amount in controversy exceeds $5 million, according to the complaint.
A spokesperson with MCW declined to comment further on the lawsuit when reached Tuesday.
"Regarding the specific class action complaint Roger F. Winstanley v. Progress Software Corporation and The Medical College of Wisconsin, The Medical College of Wisconsin has not yet been served with this class action lawsuit, and therefore cannot comment further," according to a Tuesday statement from MCW.
