Mon Health is facing a class action lawsuit over a hacking incident that allowed unauthorized individuals to gain access to its network for an 11-day period in December 2021. Mon Health said it detected the breach on December 30, 2021, with the forensic investigation determining hackers accessed its network between December 9 and December 19.
Mon Health announced the security breach on February 28, 2022, and confirmed that the hackers had access to the personal and protected health information of 492,861 individuals, including information about patients, employees, providers, and contractors. The information potentially accessed and stolen included names, addresses, birth dates, Social Security numbers, Medicare claim numbers, patient account numbers, health insurance information, medical record numbers, dates of service, provider names, claims information, and medical and clinical treatment information.
The lawsuit, which names Monongalia Health Systems Inc. and affiliated hospitals, Monongalia County General Hospital Co., Stonewall Jackson Memorial Hospital Co., and Preston Memorial Hospital Corp as defendants, was filed in Monongalia County Circuit Court in West Virginia by the Clarksburg law firm, Morgan and Morgan. The lawsuit names Rachel Silbaugh, Robin Stripling, and Michael Stripling as plaintiffs, with all other individuals affected by the breach included as class members.
The lawsuit alleges the data breach occurred as Mon Health failed to implement appropriate cybersecurity measures and was not in compliance with the security standards of the HIPAA Security Rule, alleging negligence, breach of contract, breach of confidence, and breach of implied contract. While the breach notification letters were sent within the maximum timeframe permitted by the HIPAA Breach Notification Rule, the plaintiffs allege those notification letters were untimely and were “woefully deficient” in information about the breach.
Typically, when healthcare organizations experience a breach of the types of information that are sought by identity thieves, affected individuals are offered complimentary credit monitoring services. The plaintiffs claim that these were not provided and that they have been placed with the burden of checking for misuse of their personal information. The plaintiffs claim they face an immediate and ongoing threat of identity theft and fraud as a direct result of the data breach and will continue to suffer damages, including covering the cost of ongoing credit monitoring and identity theft protection services.
The lawsuit seeks class certification, reimbursement of out-of-pocket expenses, and equitable relief, citing 20 data security measures that must be implemented to better protect patient data and prevent further data breaches.
The post Mon Health Faces Class Action Lawsuit Over 493K Record Data Breach appeared first on HIPAA Journal.