Just a week after HCA Healthcare reported a data breach that affected more than 170 of their hospitals and possibly affected more than 11 million of their patients, the vast health system is based in Nashville. is facing a class action lawsuit for violations.
WHY IT IMPORTANT
According to the lawsuit, filed in U.S. District Court for the Middle District of Tennessee, plaintiffs Gary Silvers and Richard Marous, two HCA patients living in Florida, “claim monetary damages and ordered compensation.” and claims” arising from HCA’s failure to protect the personally identifiable and protected health information of the patients of “hospitals and physician groups they own or operate, resulting in the unauthorized access to their information systems on or around June 2023.”
The plaintiffs allege that HCA “failed to use reasonable security procedures and practices appropriate to the nature of the sensitive information it was holding” for its patients and customers, such as: encrypt data or delete data when no longer needed.
This disclosure of personal information occurred when an attacker “accessed and obtained files” on HCA’s computer systems, the lawsuit alleges, contained unencrypted information including names, dates of birth, and personal information. appointment message.
The lawsuit says that, because data thieves “regularly target entities in the healthcare industry,” HCA “should have known” about the risk of a cyberattack.
“Defendant knows and understands that unprotected Personal Information is valuable and is sought by criminal parties to illegally monetize such Personal Information through unauthorized access,” according to the lawsuit. plaintiff.
It points to a “significant increase in cyberattacks and/or data breaches” targeting healthcare organizations like HCA as evidence.
“For example, of the 1,862 data breaches recorded in 2021, 330 of them, or 17.7%, were in the medical or healthcare industry,” wrote the plaintiffs’ attorneys. “330 breaches reported in 2021 exposed nearly 30 million sensitive records (28,045,658), compared with just 306 breaches that exposed nearly 10 million sensitive records (9,700,238) in 2020.”
TREND TO BIGGER
Lawsuits following large-scale healthcare data breaches are becoming more common as more larger organizations – providers, payers, providers and others – find themselves they have reported incidents related to PII and PHI of millions of their customers. For instance, Community Health System is another large Tennessee provider network that was sued after a breach exposed the data of about one million of its patients.
The parent company of the Harvard Pilgrim health plan, Point32Health, is defending against multiple class-action lawsuits following a recent ransomware attack.
NextGen was recently sued in federal court after plaintiffs allege the EHR provider failed to follow appropriate guidelines to protect patient data.
This month has seen more than one lawsuit against Johns Hopkins, after the Baltimore-based health system was the target of a ransomware attack in which the Clop ransomware group exploited a vulnerability in the company. Progress Software’s MOVEit MFT tool
Pennsylvania-based Lehigh Valley Health Network is another hospital system facing a class-action lawsuit, which is still underway despite some changes in jurisdiction.
But like HIPAA Magazine pointed out: “Healthcare data breach lawsuits often revolve around whether there is a specific injury that is more likely to be caused by a specific data breach. The lawsuits only allege. risk of identity theft and fraud will not be accepted.”
ON PROFILE
“HCA Healthcare has reported this event to law enforcement and hired third-party forensics and threat intelligence advisors,” the health system said in a statement. “While our investigation is ongoing, the company has not identified evidence of any malicious activity on HCA Healthcare’s networks or systems related to this incident.
“The company has disabled user access to the storage location as an immediate deterrent and plans to contact any affected patients to provide further information and support. assistance, in accordance with its legal and regulatory obligations,” HCA officials added, “and will provide credit monitoring and identity protection services, as appropriate.”
Mike Miliard is executive editor of Healthcare IT News
Email the writer: [email protected]
Healthcare IT News is a publication of HIMSS.
