A class action lawsuit filed against Richmond University Medical Center (RUMC) alleges that the hospital failed to protect patients’ sensitive information after a 2023 data breach exposed the personal and health details of over 675,000 individuals.
The complaint, filed on January 7, 2025, in the United States District Court for the Eastern District of New York, claims that RUMC’s inadequate security measures allowed cybercriminals to access confidential data, including personally identifiable information (PII) and private health information (PHI).
The breach occurred on May 6, 2023, but RUMC did not notify affected individuals until December 19, 2024—nearly 19 months later.
Plaintiffs Lisandra Rivera and Michael Sobol argue that the delay increased the risk of identity theft and fraud for those impacted.
According to the lawsuit, RUMC failed to meet industry standards for cybersecurity and did not notify patients promptly as required under the Health Insurance Portability and Accountability Act (HIPAA).
The complaint asserts that the hospital’s negligence left patients vulnerable to financial and emotional harm.
The plaintiffs are seeking damages, including compensation for emotional distress, and are calling for changes to RUMC's data security practices to prevent future breaches. They are also requesting restitution for losses incurred due to the breach.
Attorneys Sonal Jain from Siri & Glimstad LLP and Samuel J. Strauss from Strauss Borrelli PLLC are representing the plaintiffs in the case, which is assigned Case ID 1:25-cv-00113.