Sensitive personal and health information belonging to patients and employees was exposed after a cyberattack targeted a healthcare data management company’s computer systems in May 2026, according to a newly filed class action complaint. The legal filing alleges that the company’s failure to secure its network allowed hackers to access highly confidential records, raising concerns about privacy and identity theft for those affected.
The complaint was filed by Albert Dowdell on May 18, 2026, in the United States District Court for the Eastern District of New York against Clinical Registry Solutions (CRS), a clinician-led organization providing registry abstraction and healthcare data management services across the United States and Canada.
According to the document, CRS failed "to properly secure, safeguard, encrypt, and/or timely and adequately destroy Plaintiff’s and Class Members’ sensitive personal identifiable information." This alleged lack of security led to a significant data breach in early May 2026 when the ransomware group known as Akira infiltrated CRS’s computer systems. The attackers reportedly exfiltrated approximately 41 gigabytes of sensitive data including patient registry information, employee personal details such as Social Security numbers and health records, financial documents, contracts, agreements, and non-disclosure agreements.
The complaint cites public reports from cybersecurity sources including DeXpose.io that detailed how Akira ransomware operates by exploiting vulnerabilities through phishing emails or VPN endpoints. The group is described as demanding large ransoms or threatening public disclosure of stolen data if payments are not made. As stated in the filing: “Defendant has not provided adequate notice to all affected individuals.”
CRS collects and stores extensive private information as part of its business operations with hospitals. This includes names, addresses, dates of birth, email addresses, telephone numbers, Social Security numbers (for employees and some patients), driver’s license numbers, passport numbers, insurance details, medical diagnoses and treatments, medications, lab results, and other clinical registry data. The plaintiff argues that this volume of sensitive material made CRS an attractive target for cybercriminals.
The lawsuit claims that CRS maintained this private information "in a reckless manner" by leaving it vulnerable on inadequately protected networks despite being aware of the risks posed by cyberattacks within the healthcare sector. It further alleges that CRS failed to monitor its systems effectively: “Had CRS properly monitored its property,” the complaint states,"it would have discovered the intrusion sooner rather than allowing cybercriminals unimpeded access.”
As a result of the breach,"Plaintiff's and Class Members’ identities are now at risk because...the Private Information...is now in the hands of data thieves." Potential consequences outlined include new financial accounts opened fraudulently in victims’ names; fraudulent tax returns; false medical claims; unauthorized government benefits; identity theft involving driver’s licenses; or misuse during police encounters.
Plaintiff Albert Dowdell reports experiencing "a marked uptick in unsolicited spam telephone calls" since learning about the incident through public reporting. He states he now spends about one hour each week monitoring his financial accounts for signs of fraud—a precaution he attributes directly to concerns raised by the breach.
The legal arguments presented assert violations under several statutes including HIPAA (Health Insurance Portability and Accountability Act) requirements for safeguarding protected health information (PHI), as well as obligations under Section 5 of the Federal Trade Commission Act prohibiting unfair practices related to consumer data protection. Additional claims include negligence per se due to alleged statutory violations; breach of implied contract based on expectations that CRS would keep personal information secure; breach of fiduciary duty; unjust enrichment; and requests for declaratory relief.
Plaintiffs seek remedies such as compensatory damages for time spent monitoring accounts or purchasing credit protection services; reimbursement for out-of-pocket costs incurred due to fraud risks; injunctive relief requiring improved cybersecurity measures at CRS—including regular audits—and long-term credit monitoring funded by CRS itself.
The proposed class includes all individuals whose private information was compromised during the May 2026 incident at Clinical Registry Solutions. The case is identified as Case No. 1:26-cv-02948. Attorney names are not specified within this portion of the court filing.
Source: 126cv02948_Dowdell_v_Clincal_Registry_Solutions_Complaint_Eastern_District_New_York.pdf