One Brooklyn Health Cyberattack Breached Patient Data, Prompts Class Action Suit
Hacker outage took down medical systems at hospitals serving some of the city’s neediest neighborhoods. More than 235,000 people may have had personal info taken, lawsuit alleges.
A major health care provider for northeast Brooklyn is for the first time acknowledging that a “cybersecurity incident” that knocked out computer systems at three hospitals for months followed a data breach that accessed patients’ Social Security records, driver’s license numbers, financial account information, medical files and more.
One Brooklyn Health System (OBH) is now facing a class action lawsuit on behalf of patients, filed Wednesday in Brooklyn state Supreme Court, alleging that the attack breached the private personal information of more than 235,000 people.
The outage, first reported by THE CITY, started on Nov. 19, 2022 and went on for at least until the end of the year. It disabled computer systems, including electronic medical records, at Interfaith Medical Center, Brookdale Medical Center, Kingsbrook Jewish Medical Center and other facilities associated with One Brooklyn, a network founded with state support to help stabilize financially ailing hospitals.
A memo to patients, also posted on One Brooklyn’s website, reveals that the data breach took place over a period of months before the computer system shut down.
Those impacted by the breach also include the hospital system’s employees and their spouses, and other beneficiaries, according to the notice.
One Brooklyn Health conducted an investigation, it says, and “learned that an unauthorized actor acquired a limited amount of OBH data during a period of intermittent unauthorized access to OBH’s computer systems between July 9, 2022, and November 19, 2022.”
A review by outside experts “determined that personal and medical information relating to individuals was in the affected files,” the notice states, adding: “OBH is unaware of any or actual or attempted misuse of the affected information as a result of this incident.”
One Brooklyn Health System did not immediately respond to a request for comment from THE CITY. LaRay Brown, One Brooklyn’s CEO, did not acknowledge the breach as a result of a cyberattack until Dec. 12, in a statement to The New York Times.
To patients, the notice said: “OBH deeply regrets any concerns this incident may cause patients and staff. OBH takes this matter very seriously and will continue to take steps to enhance the security of systems and information OBH maintains to help prevent something like this from happening again.”
The area served by the network is 85% nonwhite, and most patients rely on Medicaid or Medicare government insurance programs, according to a profile of the health network.
‘It’s 100% on Them’
Kiya Johnson of Brooklyn, the lawsuit’s named plaintiff, is represented by Shub & Johns LLC, a Pennsylvania-based law firm that specializes in consumer protection and data breaches. She is seeking damages and restitution from the hospital network for an undisclosed amount, on behalf of herself and others targeted in the attack.
One Brooklyn “didn’t have sufficient security measures in place” to prevent and respond to the attack, attorney Benjamins Johns alleged in an interview with THE CITY on Thursday.
“The buck stops with One Brooklyn Health,” he said. “They’re the entity that was entrusted with their own patient data. It’s 100% on them.”
Johnson received the notice in the mail last week, according to her attorney — who said it is “unacceptable” that One Brooklyn waited five months to notify patients and staff that their private information was breached as a result of the attack.
“Sometimes there are legitimate reasons to not notify the public right away, just because there’s an investigation and you don’t want to tip off the wrongdoers. But when you’re talking six months, or whatever the time period is, that’s extreme,” he said.
“We allege that had they disclosed this earlier, people could have done more to be more vigilant and to protect themselves,” he added.
The attack, which plunged the hospital’s network offline for weeks beginning in mid-November, had medical staff scrambling to take care of patients using old-school methods.
Without access to online medical records, doctors and nurses resorted to writing everything down on pen and paper, and to view test results — such as CT scans and other images — directly on testing machines, rather than accessing them via computer anywhere in the hospital.
The network outages also meant doctors were for a time unable to fulfill prescriptions electronically, as required by a state law that went into effect in 2016. Instead, they had to call pharmacies directly, a time-consuming process that led to longer waiting times for patients during the busy flu season.
Days after the outage began, an attending cardiologist at Interfaith described the situation in an interview with THE CITY as “very hectic.”
“There is no network anymore over here,” the doctor, who asked not to be named for fear of retribution, said in an interview at the time. “There are no electronic medical records of any type and there is no network of any type. All computers, everything is down.”
Last summer, the Federal Bureau of Investigation, the Treasury Department and Cybersecurity and Infrastructure Security Agency warned that hospitals were being targeted in cyberattacks.
One Brooklyn created a dedicated, toll-free hotline for individuals seeking additional information about the incident at 1-833-570-3025, as well as a dedicated email address at firstname.lastname@example.org.