Zoll Medical, a Massachusetts-based medical device maker, is facing at least seven proposed class-action lawsuits since it revealed that the data of one million individuals was compromised in a hacking incident involving the company’s internal network.
The lawsuits allege negligence by Zoll in failing to protect sensitive information, putting class members at increased risk of identity theft. Plaintiffs in the lawsuits are seeking monetary damages as well as improvements to Zoll’s security practices.
One of the plaintiffs, Robert Smith, alleges in his lawsuit that he was already harmed by the Zoll incident.
He says that he found an unauthorized charge for $49.99 in his bank account after receiving Zoll’s breath notice letter on March 13. Zoll declined to comment on the lawsuits, saying the company does not comment on pending litigation.
The cybersecurity incident affects current and former users of the company’s LifeVest device – a wearable cardioverter defibrillator worn by patients at high risk of sudden cardiac death. The incident did not affect the operation or safety of the product or any other Zoll medical device or related software. The affected data includes name, address, birthdate, and Social Security number.
Jason Johnson, a partner at law firm Moses Singer, who is not involved in the Zoll litigation, said that the healthcare industry is a highly targeted industry for hackers because of the sensitive information it collects and maintains of its users.
He advised medical device companies to evaluate their current cybersecurity posture and practices to minimize the damage or harm caused when a data breach occurs.
This includes evaluating who has and who needs system administrative rights, reviewing password policies, implementing two-factor authentication, and conducting additional cybersecurity training for its workforce.
