Maternal and Family Health Services sued over data breach

Mar. 20—Maternal & Family Health Services Inc. learned hackers obtained confidential information on more than 460,000 patients, but did not notify affected individuals until nine months after the discovery, according to a proposed federal class action lawsuit.

The nonprofit health and human service agency, which has locations in 17 counties, including Lackawanna, Luzerne, Wyoming, Monroe, Susquehanna and Wanye, learned on April 4, 2022, it was the victim of a sophisticated ransomware attack that began on Aug. 21, 2021. It did not publicly report the incident until Jan. 5, 2023, when it posted a notice on its website, the suit alleges.

The cyberattack is among a growing number of data breaches at health care facilities nationwide. Locally, Lehigh Valley Health Network recently revealed photos of cancer patients undergoing treatment and other confidential information was posted to the dark web after the health system refused to pay the ransom demanded by a Russian cyber criminal group.

The Maternal & Family Health attack resulted in the release of various data, including medical and/or health insurance information, social security numbers, names, addresses, dates of birth, credit card and banking numbers, usernames and passwords, according to the suit filed on behalf of the lead plaintiff, Tammy Chludzinski of Old Forge.

The lawsuit, filed by Philadelphia attorney Daniel E. Bacine and several other attorneys, alleges the organization failed to take adequate safety measures to protect patients' information.

The delay in notification also violated Federal Trade Commission regulations, which require victims of data breaches be notified within no more than 60 days after the discovery, the suit says. The delay caused further harm because it prevented patients from taking immediate action to protect themselves against potential identity theft.

Attempts to reach officials with Maternal and Family Health for comment Monday were unsuccessful. In a statement posted on the agency's website, it said it immediately hired an outside agency to conduct a forensic analysis to identify affected patients, who were then notified by letter.

"Maternal & Family Health Services takes the protection our patients' and employees' personal information seriously," the statement says. "We understand the inconvenience and concern this incident may cause and are committed to strengthening our systems' security to prevent this kind of incident from happening again."

The lawsuit seeks damages on five counts, including negligence, breach of contract and breach of fiduciary duty.

Contact the writer:; 570-348-9137; @tmbeseckerTT on Twitter.