/cdn.vox-cdn.com/uploads/chorus_asset/file/24016885/STK093_Google_04.jpg)
/cdn.vox-cdn.com/uploads/chorus_asset/file/24808816/Starfield__The_Settled_Systems___Supra_Et_Ultra_____Starfield__The_Settled_Systems___Supra_Et_Ultra_2023_7_25_94252.263_1440p_streamshot.png)
Just a week after HCA Healthcare reported a data theft that affected more than 170 of its hospitals and could affect more than 11 million patients, the giant Nashville-based health system faces a class action lawsuit for the breach Is falling
why it matters
According to the lawsuit filed in the U.S. District Court in the Middle District of Tennessee, plaintiffs Gary Silver and Richard Marus, two HCA patients living in Florida, are seeking “monetary damages and damages” arising from HCA’s failure to protect personally identifiable information. seek injunctive and declaratory relief”. “protected health information of patients of its owned or operated hospitals and physician groups, resulting in unauthorized access to its information systems on or around June 2023.”
The plaintiffs allege that HCA did not use “reasonable security procedures and practices commensurate with the nature of the sensitive information” for its patients and customers, such as encrypting data or deleting it when it is no longer needed.
This personal information was exposed when an attacker “accessed and obtained files” in HCA’s computer system, which the lawsuit alleges contained unencrypted information including name, date of birth and appointment information.
The lawsuit states that, given that data thieves “regularly target entities in the healthcare industry”, the HCA “should have known” about the risk of cyberattacks.
According to the plaintiffs’ lawsuit, “Defendants knew and understood that unprotected personal information is valuable and highly sought after by criminal parties seeking to illegally monetize that personal information through unauthorized access.”
It points to a “substantial increase in cyber attacks and/or data breaches” targeting healthcare entities such as HCAs as evidence.
“For example, of the 1,862 data breaches reported in 2021, 330, or 17.7%, were in the medical or healthcare industry,” writes the plaintiffs’ attorney. “The 330 breaches reported in 2021 exposed approximately 30 million sensitive records (28,045,658), while in 2020 only 306 breaches exposed approximately 10 million sensitive records (9,700,238).”
big trend
Lawsuits in the wake of massive health care data breaches are becoming more common as many major organizations — providers, payers, vendors and others — are reporting incidents involving PII and PHI of millions of their customers. For example, Community Health Systems is another major Tennessee provider network that has been sued after a data breach involving nearly one million patients.
Point32Health, the parent company of the Harvard Pilgrim health plan, is defending itself against several class action lawsuits following a recent ransomware attack.
NextGen was recently sued in federal court after plaintiffs alleged that the EHR provider didn’t follow proper guidelines for protecting patient data.
Multiple lawsuits have been filed this month against Johns Hopkins, the Baltimore-based health system that was the target of a ransomware attack in which the Clop ransomware group took advantage of a vulnerability in Progress Software’s MOVEit MFT tool.
Pennsylvania-based Lehigh Valley Health Network is another hospital system facing a class action suit, which is still in progress despite some changes in jurisdiction.
but as HIPAA Journal explains: “Healthcare data breach lawsuits often depend on whether there is a tangible injury that likely resulted from a specific data breach. Lawsuits that only allege identity theft and fraud exposure are unlikely to sustain.
On the record
“HCA Healthcare reported this incident to law enforcement and retained third-party forensic and threat intelligence consultants,” the health system said in a statement. “While our investigation is ongoing, the company has not identified evidence of any malicious activity on the HCA Healthcare network or systems related to this incident.
HCA officials said, “The company has disabled user access to the storage location as an immediate containment measure and plans to contact any affected patients to provide additional information and assistance in accordance with its legal and regulatory obligations.” Planned.” Identity protection services, where appropriate.”
Mike Milliard is executive editor of Healthcare IT News
Email the author: mike.miliard@himssmedia.com
Healthcare IT News is a HIMSS publication.
