Second Class Action Lawsuit Filed Against CommonSpirit Health Over Ransomware Attack

By | January 24, 2023

Another lawsuit has been filed against CommonSpirit Health over its 2022 ransomware attack and data breach that alleges the nation’s largest catholic health system failed to implement reasonable and appropriate safeguards to prevent unauthorized access to sensitive patient data.

CommonSpirit Health announced in early October that it was dealing with a cyberattack that took down its IT systems, then in December confirmed that the individuals behind the ransomware attack had access to certain parts of its network from September 16 through October 3, 2022, during which time they may have accessed or obtained the protected health information of 623,774 patients including names, contact information, birth dates, and internal patient identifiers.

The latest lawsuit was filed on January 13, 2022, in the U.S. District Court for the Northern District of Illinois on behalf of plaintiff Jose Antonio Koch, his two minor children (John/James Doe), and other similarly affected individuals. Koch and his children received medical care at St. Michael Medical Center in Silverdale, WA, a CommonSpirit Health member hospital operated by Virginia Mason Franciscan Health, that was affected by the attack.

CommonSpirit Health provided regular updates on its website about the cyberattack and data breach and notified patients in December when the extent of the breach had been determined, approximately two and a half months after the breach occurred and two months after the breach was detected. The lawsuit alleges CommonSpirit Health “intentionally, willfully, recklessly or negligently” failed to take adequate and reasonable measures to ensure its data systems were protected against unauthorized intrusions, and that “CommonSpirit has not been forthcoming about the data breach.” The lawsuit also suggests the actual number of individuals affected may be much higher, potentially as high as 20 million, and takes issue with the time it took CommonSpirit Health to detect the data breach, which started on September 16, 2022, but was not detected until October 2, 2022.

The lawsuit alleges the plaintiffs and class members have been exposed to a heightened and imminent risk of fraud, financial identity theft, and medical identity theft, and must now cover the cost of credit monitoring services, credit freezes, credit reports, and other protective measures, as that they have had to spend time monitoring their accounts, changing passwords, and taking other measures to protect their identities.

The lawsuit alleges negligence, breach of implied contract, unjust enrichment, and negligence per se, and seeks class action status, at least 7 years of complimentary credit monitoring services, and an award of actual damages, compensatory damages, statutory damages, and statutory penalties, as determined and allowable by law, and an award of punitive damages and attorneys’ fees.

An earlier lawsuit was filed in the U.S. District Court for the Northern District of Illinois on December 29, 2022, by Washington resident, Leeroy Perkins, which makes similar claims that industry-standard cybersecurity measures had not been implemented. That lawsuit seeks damages exceeding $5 million and injunctive relief, which includes the requirement for CommonSpirit Health to implement stronger data security measures to prevent further data breaches.

The post Second Class Action Lawsuit Filed Against CommonSpirit Health Over Ransomware Attack appeared first on HIPAA Journal.