University of Connecticut Health Center, Farmington. University of Connecticut Health Center, Farmington. Photo: Google maps

The first lawsuit stemming from February's announcement that a University of Connecticut Health Center data breach could have affected 326,000 current and former patients has been filed in federal court.

The putative class action lawsuit, filed March 18 on behalf of New London resident Yoselin Martinez, alleges the health center notified those affected months after the fact and also states the center could have done more to prevent the breach.

The 31-page lawsuit states, “UConn disregarded the rights of plaintiff and class members by intentionally, willfully, recklessly, or negligently failing to take adequate and reasonable measures to ensure its data systems were protected.”

The lawsuit said the health center announced Feb. 25, nearly two months after the breach was identified, that a hacker had gained access to a number of employee email accounts through a phishing attack that subsequently exposed the personal data of the current and former health center patients. The exposed personal information, the lawsuit says, included patients' names, date of birth, addresses, medical information and Social Security numbers.

According to the lawsuit, credit bureau Experian found in a study that the average total cost of medical identity theft is about $20,000 per incident, and that a majority of victims of medical identity theft were forced to pay out-of-pocket costs for health care they did not receive in order to restore coverage.

Martinez alleges shortly after being notified of the breach she checked her bank account, which had been overdrawn. Upon speaking with a bank representative, the lawsuit says, Martinez was informed that the charge was a result of a fraudulent transaction on her account.

“In addition to the fraudulent activity currently affecting Ms. Martinez as a result of the breach, she will continue to be at heightened risk for financial fraud and identity theft and their attendant damages for years to come,” the lawsuit says.

The lawsuit maintains there were major problems with the health center's security protocols from the get-go.

“The deficiencies in defendants' data security protocols were so significant that the breach likely remained undetected for months,” the suit says. “Intruders, therefore, had months to access, view, and steal patient data unabated. … Timely action by UConn would likely have significantly reduced the consequences of the breach.”

The lawsuit seeks at least $5 million in damages. It also seeks designation as a class and that the health center implement improved security procedures and measures.

Delker Vardilos, the health center's interim health information officer, said Tuesday the center does not comment on pending litigation.

The lawsuit did include the health center's statement last month after it announced the breach.

That statement reads: “UConn Health recently learned that an unauthorized third-party illegally accessed a limited number of employee email accounts. Upon learning of the incident, we immediately took action, including securing the impacted accounts to prevent further unauthorized access and confirming the security of our email system. We also notified law enforcement and retained a leading forensic security firm to investigate and conduct a comprehensive search for any personal information in the impacted email accounts.”

Representing the plaintiff are Brian Murray of Glancy Prongay & Murray and Jean Sutton Martin of North Carolina-based Morgan & Morgan. Neither attorney responded to a request for comment Tuesday.

As of Tuesday, the health center had not assigned an attorney to the matter.

The lawsuit cites six counts, including negligence, breach of contract and invasion of privacy.

Judge Vanessa Bryant is scheduled to hear the case.