Data Breach At CentraState In Freehold Twp. Prompts Lawsuit

FREEHOLD, NJ — An attorney for a Manalapan woman has filed a class action complaint against CentraState Medical Center, following a cybersecurity breach last year of patient information at the Freehold Township hospital.

Plaintiff Rita Sorrentino-Poggi, individually and on behalf of all others "similarly situated," brought the suit, according to the complaint filed in state Superior Court in Freehold, Monmouth County.

She is represented by Benjamin Johns, a consumer protection attorney based in Haddonfield.

The complaint came out of the Dec. 29, 2022 data breach involving CentraState that collected and stored certain personally identifiable information and/or protected health information of the plaintiff and others, the suit says.

The hospital estimated 617,000 people could have been affected by the data breach and sent out letters notifying them of the breach.

"Highly-sensitive information" was subject to the breach, the suit alleges, including but not limited to names, addresses, birthdays, Social Security numbers, health insurance information, medical records, and patient account numbers, and in some instances information related to care received at CentraState, such as dates of service, physician names and departments, treatment plans, diagnoses, visit notes, and/or prescription information."

Social Security numbers are particularly valuable to criminals, the suit notes.

"This information can be sold and traded on the dark web black market. The loss of a Social Security number is particularly troubling because it cannot be easily changed and can be misused in a range of nefarious activities, such as filing fraudulent tax returns to steal tax refund payments, opening new accounts to take out loans, and other forms of identity theft," according to the suit.

It alleges the breach was "a direct result of defendant’s failure to implement adequate and reasonable cybersecurity procedures and protocols necessary to protect consumers’" information.

"Inexplicitly, the defendant has acknowledged that the cybersecurity attack occurred in December 2022, but it has only recently begun contacting class members, according to the lawsuit.

The suit alleges the hospital failed "to provide timely and adequate notice to the plaintiff and other class members that their information was unsecured and left open to the unauthorized access of any unknown third party."

Sorrentino-Poggi was notified by the hospital of the data breach in a letter dated Feb. 8, the suit says.

This letter confirmed that her Social Security number and “information related to care that (she) received at CentraState” (among other types of information) may have been included in the compromised database.

The complaint alleges she "suffered actual damages including, without limitation, time and expenses related to monitoring her financial accounts for fraudulent activity, facing an increased and imminent risk of fraud and identity theft, the lost value of her personal information, and other economic and non-economic harm."

Those affected "will now be forced to expend additional time to review their credit reports and monitor their financial accounts and medical records for fraud or identify theft – particularly since the compromised information may include Social Security numbers," the complaint says.

Earlier this month, CentraState Healthcare System alerted consumers to the security incident.

In a statement Feb. 10, the hospital said that on Dec. 29, 2022, CentraState detected unusual activity involving its computer systems.

It "immediately took steps to contain the incident and initiated an investigation, which included assistance from a forensics firm, and reported the incident to law enforcement, including the Federal Bureau of Investigation," the hospital said in the statement.

The hospital investigation determined that on Dec. 29, "the unauthorized person obtained a copy of an archived database that stored certain patient information. The data involved varied by individual, but included information such as names, addresses, dates of birth, Social Security numbers, health insurance information, medical record numbers and patient account numbers.

"Additionally, some information related to care received at CentraState, such as dates of service, physician names and departments, treatment plans, diagnoses, visit notes, and/or prescription information, was accessed."

The hospital said "there was no financial account and/or payment card information involved in this incident."

Beginning on Feb. 10, CentraState mailed letters to consumers whose information may have been affected in the incident.

In the letter, CentraState offered complimentary credit monitoring and identity theft protection services to individuals whose Social Security number was involved.

Patients were also "encouraged to review statements they receive from their healthcare providers and health insurer, and immediately report any inaccuracies to the provider or insurer."

CentraState’s website or its dedicated, toll-free call center at 866-674-3076 were available to assist those affected, the statement said.

"CentraState deeply regrets any concern this incident may have caused and is continually enhancing the security of its electronic systems and the patient data it maintains to help prevent events such as this from occurring in the future. Events of this nature are affecting an increasing number of companies in the U.S. and around the world, and federal government, law enforcement and industry experts are working in tandem to address this unlawful criminal activity," the hospital said in the statement.

The hospital had no comment yesterday on the lawsuit, said spokesperson Lori Palmer. But she said all operations at the hospital are "back to normal." The breach resulted in a temporary diversion of patients in December, the hospital said at the time.

The attorney filing the suit against the hospital, Johns, is a consumer protection lawyer and partner at Shub Law Firm in Haddonfield.

He said the suit also requests certification of the complaint by the court as a class action.

CentraState Healthcare System is a partner of Atlantic Health System.