Skip to main content

Portland Anesthesiology Practice Faces Lawsuit Over Data Breach

Lawyer seeks class action status for Multnomah County case.
April 28, 2022

A large Oregon anesthesiology practice is being sued by a Portland patient over a breach of health and personal data last year that may have involved information on hundreds of thousands of patients.

The patient is seeking class-action status for the lawsuit and wants, among other things, for the court to order the anesthesiology practice to upgrade its data protection and pay for identity theft and credit monitoring for patients for at least three years.

The lawsuit was filed on April 7 by Parke Eldred against Portland-based Oregon Anesthesiology Group in Multnomah County Circuit Court.

The anesthesiology business has not yet filed a response in court, but CEO Ursula Luckert said in an email to The Lund Report that the firm acted promptly, has upgraded its data protections and patients have been offered 12 months of free credit monitoring.

“OAG thoroughly reassessed our security architecture and protocols, and we have since implemented additional upgrades to ensure the security of our patient data,” she added. “OAG does not store patients’ full medical records or their Social Security or credit card numbers.”

Oregon Anesthesiology Group provides services at more than 30 Oregon facilities, including hospitals, surgery centers and office-based practices in the Portland metro area and also in the Salem and Corvallis areas.

It’s far from the only company to be hit by hackers. According to the online news site HIPAA Journal, data breaches have continued to climb steadily despite increased attention to cybersecurity — doubling last year alone. 

Of the largest reported U.S. breaches in 2021, the Oregon company’s ranked 13th out of 26, according to the journal.

Suit Targets Timing

The lawsuit cites how long the anesthesiology practice allegedly waited until it alerted patients.

The lawsuit states that a “cyberattack” was carried out on the firm’s servers starting on July 3, 2021. The company discovered the breach on July 11 and halted it by July 15, the lawsuit said.

Roughly three months later, on Oct. 21, the FBI alerted the business that it had seized an account belonging to HelloKitty, a “Ukrainian hacking group,” which contained records of the patients and employees of the anesthesiology group, the lawsuit said, adding that the anesthesiology group “waited until December 6, 2021, approximately five months after the data breach, to issue its first notice” to patients.

The lawsuit accused the company of “lax security,” saying Eldred and “at least 750,000 other patients have had the most sensitive details of their lives and identities, including sensitive information for minor children and people in underserved communities, accessed and stolen by malicious cybercriminals.” 

It further alleged that “since the data breach, Eldred has noticed suspicious activity in his Wells Fargo bank account, including $700-$800 worth of fraudulent charges in a single day.”

Under the anesthesiology group’s privacy agreements with patients, the company should have notified patients of any data breach within 60 days of it occurring, the lawsuit said.

The company’s delay in notifying patients violates Oregon consumer law, the lawsuit said.

The lawsuit wants the judge to certify the complaint as a class action. A judge would need to determine that the patients whose data was stolen constitute an aggrieved class.

The lawsuit also wants the court to order the firm to upgrade its data protections and to provide security and credit monitoring for at least three years.

Luckert stated to The Lund Report that the business “took all necessary steps to address the cyberattack, adding that“OAG restored our systems within days and engaged a cyber forensics firm to determine the full extent of the event.”

Although the company doesn’t store full medical records, credit card or social security info, “we provided our patients with a complimentary 12-month membership to Experian’s IdentityWorks, which includes credit monitoring, internet surveillance, identity restoration and up to $1 million in identity theft insurance services,” she wrote.

Oregon Anesthesiology Group is  physician-owned and has about 275 doctors and other medical professionals, according to its website.

You can reach Christian Wihtol at [email protected].