The Methodist Hospitals, Inc. (TMH) has been hit with a proposed class action lawsuit in the wake of a security incidentduring which the private information of “at least” 68,000 patients was reportedly compromised. According to the case, the hospital system’s alleged failure to prevent and detect the data breach “negligently and unlawfully” exposed patients to an increased risk of identity theft and “severely disrupted” their lives.
The 37-page lawsuit out of Indiana claims two TMH employees fell victim to a phishing scam that allowed hackers to access their respective email accounts from March 13 to June 12, 2019 and in July of the same year. During these two windows, patient names, contact information, dates of service, treatment information, health insurance information, Social Security numbers, physician names, and medical bill account numbers may have been compromised, the suit says.
The case claims the defendant maintained patients’ sensitive data “in a reckless manner” that left the information vulnerable to cyberattacks. Moreover, the suit argues that had the hospital system and its employees properly monitored the IT systems that housed the data, the attack would have been discovered much sooner. According to the complaint, the breach was not detected until August 2019—months after hackers first gained access to patients’ data.
Perhaps worse, the lawsuit claims that although TMH was well aware of the risk of a potential cybersecurity incident, the company intentionally failed to properly secure proposed class members’ data, exposing the individuals to a heightened risk of identity theft. Given that the potential for a cyberattack was a known risk to TMH, the suit says, the company was “on notice” that failing to have proper safeguards in place would leave proposed class members’ information dangerously vulnerable.
“Plaintiffs’ and Class Members’ identities are now at risk because of Defendant’s negligent conduct since the Private Information that Defendant TMH collected and maintained is now in the hands of data thieves,” the complaint reads.
The lawsuit argues that as of the date the complaint was filed, TMH has “done nothing” to compensate proposed class members—patients whose private information was maintained on the defendant’s system during the data breach—for damages they suffered as a result of the incident. Affected patients are now at an “imminent, immediate, and continuing” risk of harm from identity theft, the case says, and must spend time and money mitigating the effects of the TMH’s conduct.