·  Legal News, Analysis, & Commentary

Health & Medicine

Vermont Medical Center’s Patient Records are Compromised

— September 20, 2022

Lamoille Health Partners claim it’s taken measures to better safeguard patient information.

When making decisions about medical treatment, it is best for the patient and the doctor to work together, and informed consent to remain at the center of this model of care. For patients to actively participate in decisions that reflect their values and preferences, they need access to relevant information, and physicians play a crucial role as educators, always ensuring to also discuss HIPAA laws when discussing matters of confidentiality in handling patient records.

It might be stressful, if not impossible, for a doctor to verify that a patient has provided fully informed consent due to their lack of medical knowledge. Therefore, it is practically axiomatic that doctors tell patients about the potential downsides of treatment so that they may make an educated decision. Despite all of these human-led safeguards during exchanges between doctors and their patients to try and ensure patient information is kept secure, isn’t a foolproof process. Sometimes computer-generated attacks compromise the patient records that the two parties have painstakingly tried to keep safe.

Vermont Medical Center's Patient Records are Compromised
Photo by Thirdman from Pexels

Patients have filed a lawsuit against a health center in Morrisville, Vermont, claiming a ransomware assault compromised their private data documented in patient records. They’ve alleged that Lamoille Health Partners did not take appropriate measures to protect their personal information, did not follow HIPAA security standards, and waited too long to warn patients that their information may have been stolen.

In June, Lamoille Health Partners announced to employees that it would have to temporarily shut down its servers because administrators noticed suspicious, unauthorized activity. Ultimately, the shut down last more than a week. Patient names, residences, dates of birth, social security numbers, health insurance information, and medical treatment information were all subject to the attack. However, the public did not become aware of the threat until mid-August. During that time, the center was supposedly coordinating with the Federal Bureau of Investigations (FBI) to learn more and identify next steps. On August 11th, the clinic officially announced what had occurred.

According to the complaint, there were roughly 60,000 patients who may have been harmed. Those who’ve joined the complaint are asking for Lamoille Health’s security systems to be enhanced in order to better protect against future threats as well as for monetary damages. When the official announcement was made, Lamoille Health said it had already provided identity protection and credit monitoring services and didn’t believe that the data was being used for criminal purposes.

“We’re not sure what happened but following our protocol and due to the sensitivity of the nature is why we alerted the FBI, and they are working and we’re cooperating with them in our investigation,” said Stuart May, the CEO of Lamoille Health Partners. “We went ahead and followed established protocols, mitigated the situation, and out of the abundance of caution, we’re offering this complimentary identity protection and credit monitoring services. And from there, it’s been business as usual. Once we reach that point where we feel like we have more information to share, we will of course do that at that time along with any state or federal requirements of reporting these types of breaches.”


Patients sue Vermont health center, claim it failed to safeguard their info

Vermont health center sued over ransomware attack that affected 60,000 patients

New details on security breach at Vermont health center

Join the conversation!