Data breach leads to legal action against Carmel-based Otolaryngology Associates


A class action complaint has been filed against Carmel-based Otolaryngology Associates after a cyberattack in February led to personal and health information of patients being stolen.

According to the complaint, which was filed April 16 in Marion County, the data breach occurred between Feb. 17 and 21 and affected nearly 317,000 people, including current and former patients, employees and providers. OA operates 13 medical offices throughout central Indiana, including in Carmel, Fishers and Noblesville.

The complaint states that those impacted were not notified until more than a month and a half after the data breach and that information potentially compromised includes names, codes related to services provided, Social Security numbers, contact information and driver’s license numbers.

“Plaintiff’s and Class members’ sensitive (personal identifying information) has been released into the public domain,” the complaint states. “They have had to, and will continue to, spend time to protect themselves from fraud and identity theft.”

OA and its attorneys did not immediately respond to a request for comment. According to a notice it sent to those affected by the data breach, OA discovered the attack “within hours after it began” and took immediate steps to try to stop it. The notice states that on Feb. 20 and 21, the attacker sent three communications claiming to have stolen data and threatened to release it publicly.

OA contacted the FBI and hired a forensic cybersecurity response firm, and an investigation concluded that the attacker did not view individual documents but ran programs to exfiltrate data from OA’s systems, the notice states.

“The hacker did not gain access to the OA medical records system,” the notice states. “For the vast majority of individuals, the information impacted included billing records and did not include Social Security numbers or driver’s license numbers.”

The complaint accuses OA of breach of contract, unjust enrichment, negligence and breach of fiduciary duty. It seeks the court to require OA to notify those impacted by the breach of its full nature and extent, award damages (amount to be determined) and award attorneys’ fees and costs.