A five-hospital health system located in California is facing several class action lawsuits from patients who charge that system leaders failed to keep their medical data safe from hackers. In May 2021, the organization was hit with a ransomware attack that forced it to take a portion of its IT system offline for several weeks.
The health system also admitted that the hackers stole data for nearly 150,000 patients. The organization notified 147,267 patients in June 2021 that the hackers acquired some health and personal financial information.
A lawsuit was filed June 21, 2021, on behalf of some of the patients who were victims of the cyberattack, accusing the health system of negligence and invasion of privacy as result of the data breach. The law firm representing the plaintiffs claims that the personal information, including names, drivers’ license and social security numbers, and/or patient care records of nearly 150,00 patients were compromised in the massive data breach.
Furthermore, the lawsuit claims that the health system maintained inadequate security measures for detecting and addressing the cyberattack, especially given knowledge of a heightened threat. In addition to the monetary damages, the suit demands that the health system implement and maintain sufficient security protocols going forward so as to prevent future attacks.
Another class action suit filed June 7, 2021, on behalf of another patient who was a victim of the cyberattack, alleges that because of the rise in high profile data breaches among healthcare organizations, the health system “knew or should have known that its electronic records would likely be targeted by cybercriminals.” The lawsuit also states that the health system’s “negligence in safeguarding” patients’ medical information is “exacerbated by the repeated warnings and alerts directed to protecting and securing sensitive data.” Also, the health system “failed to take appropriate steps to safeguard patients’ protected health information and could have prevented the data breach by “properly securing and encrypting” the medical data.
The lawsuit claims that the plaintiff was harmed by the breach by suffering lost time, annoyance, interference, and inconvenience as a result of the data breach. In addition, the plaintiff also suffered due to anxiety and increased concerns for the loss of his privacy, as well as anxiety over losing access to the health system portal.
The lawsuit is asking the health system to pay $1000 per violation while also seeking actual damages and punitive damages of up to $3000 per plaintiff and class action member, as well as attorney fees, litigation expenses, and court costs.
Another lawsuit filed on June 1, 2021, on behalf of one a patient who was also a victim of the cyberattack and thousands of other patients believed to have been impacted by the breach, claims that medical history; mental or physical condition and treatment, including diagnosis and treatment dates; and other personal information was stored on the health system computer network in a nonencrypted form. The lawsuit claims that the plaintiffs have suffered damages from the unauthorized release of their individual identifiable medical information.
A health system spokesperson has said the organization would not comment on any pending litigation.
Issue:
The healthcare sector is now one of the largest victims of ransomware due to its vulnerability to the confidentiality and the critical nature of online patient records. It is imperative that all nursing facilities become proactive in preventing ransomware attacks to avoid data breaches which are reportable in terms of the Health Insurance Portability and Accountability Act (HIPAA). Nursing facility leaders and the Privacy Officer should be aware of the new tactics that are being used by malicious ransomware attacks and provide training to all staff with access to electronic medical records, email, or internet on best practices to prevent a ransomware attack. Additional information is available in the Med-Net Corporate Compliance and Ethics Manual, Chapter 6 Data Integrity.
Discussion:
- Review facility policies and procedures on cybersecurity. Ensure that policies are kept current based on best practices designed to prevent ransomware attacks and that all required actions are taken.
- Train all appropriate staff on best practices to prevent ransomware. Document that the trainings occurred and file in each employee’s education file. Provide additional training as new information becomes available.
- Periodically audit to ensure that staff are knowledgeable and utilizing best practices in preventing ransomware attacks, and that the IT system has incorporated the most current recommendations for protecting PHI.