Defendant's Attorney: Robyn Mara Feldstein

Description: White Plaintiffs class action lawyers represented the Plaintiff who sued the Defndants

1. In or around May 26, 2022, Empress experienced a data breach whereby
unauthorized, third-party hackers gained access to Defendant’s internal systems through a
ransomware attack. Empress did not detect this unauthorized access until July 14, 2022—almost
two months later—at which point those third-party hackers had already exfiltrated the personal
identifying information (“PII”) and protected health information (“PHI”) of approximately
318,558 individuals from Empress’ systems. This PII included, inter alia, those individual’s
names, dates of birth, demographic information, diagnosis and treatment information, medical
record numbers, dates of service, insurance information, prescription information, and social
security numbers.

2. Empress is an emergency medical services and aftercare transportation provider in
the New York metro area. As part of its business operations, Empress collects and stores the PII
and PHI of patients who use its services.

3. Under statute and regulation, Empress had a duty to implement reasonable,
adequate industry-standard data security policies safeguards to protect patient PII and PHI.
Empress acknowledges that it is bound by these duties in its “Privacy Practices Statement” posted
on its website.1 Despite this, Empress failed to implement such reasonable and adequate data
safeguards and allowed third-party hackers to exfiltrate its patients’ PII and PHI.

4. Plaintiff, individually and on behalf of those similarly situated persons (hereafter
“Class Members”), bring this Class Action to secure redress against Empress for its reckless and
negligent violation of their privacy rights. Plaintiff and Class Members are patients and former
patients of Empress who had their PII and PHI collected, stored and ultimately breached by
Empress.

5. Plaintiff and Class Members have suffered injuries and damages. As a result of
Empress’s wrongful actions and inactions, Plaintiff and Class Members’ names, dates of birth,
demographic information, diagnosis and treatment information, medical record numbers, dates of
service, insurance information, prescription and treatment information, medical record numbers,
dates of service, insurance information, prescription information, and social security numbers have
all been compromised. Plaintiff and Class Members have had their privacy rights violated and are
now exposed to a heightened risk of identity theft and credit fraud for the remainder of their
lifetimes. Plaintiff and Class Members must now spend time and money on prophylactic measures,
such as increased monitoring of their personal and financial accounts and the purchase of credit
monitoring services, to protect themselves from future loss. Plaintiff and Class Members have also
lost the value of their PII and PHI.

6. Further, Empress unreasonably delayed in notifying Plaintiff and Class Members
of the data breach until approximately September 9, 2022—despite having discovered the breach
nearly two months earlier—when it disseminated letters informing Plaintiff and other Class
Members that their PII and PHI had been compromised by the data breach (the “Data Breach
Notice”).

7. Even more egregiously, Empress’s Data Breach Notice sent to Plaintiff omits and
misrepresents key information about the data breach. The Data Breach Notice did not disclose that
the Hive Gang (“Hive”), a notorious ransomware group, had announced that they were behind the
breach. Immediately following the data breach, Hive contacted Defendant by email, in which they
claimed that they had downloaded Empress’ “most important information with a total size over
280 GB,” and claimed to have obtained over 100,000 social security numbers from Empress’
systems.2 This is in stark contrast to Empress’ Data Breach Notice and public disclosures, in which
they claimed that only “a small subset of files” had been copied.3

8. Empress’ Data Breach Notice also failed to inform Plaintiff that the Empress data
breach had been briefly listed on Hive’s leak website, and that files exfiltrated in the data breach
have been discovered available for download on the dark web.4

9. As a result of Empress’s wrongful actions and inactions, patient information was
stolen. Plaintiff and Class Members have had their PII and PHI compromised by nefarious third-
party hackers, have had their privacy rights violated, have been exposed to the risk of fraud and
identify theft, and have otherwise suffered damages. Plaintiff and Class Members bring this action
to secure redress against Empress.

* * *

Outcome: NOTICE OF VOLUNTARY DISMISSAL PURSUANT TO F.R.C.P. 4l(a)(l)(A)(i). Pursuant to F.R.C.P. 41(a)(1)(A)(i) of the Federal Rules of Civil Procedure, the plaintiff(s) ROBERT D'AGOSTINI and or their counsel(s), hereby give notice that the above-captioned action is voluntarily dismissed, without prejudice against the defendant(s) EMPRESS AMBULANCE SERVICE, LLC d/b/a EMPRESS EMS. So Ordered., ( Empress Ambulance Service, LLC (a Delaware limited liability company) terminated.) (Signed by Judge Kenneth M. Karas on 9/21/23) (yv) (Entered: 09/21/2023)

Plaintiff's Experts:

Defendant's Experts:

Comments: