A proposed class action has been filed over an October 2019 ransomware attack on Alabama-based DCH Health System’s facilities that exposed the personal medical information of roughly 32,000 patients. The 41-page lawsuit alleges defendant DCH Healthcare Authority recklessly maintained proposed class members’ data on a computer network that was “vulnerable to cyberattacks,” seizure and being held hostage by hackers.
“As a result of the Ransomware Attack, Plaintiffs and class members suffered ascertainable losses in the form of out-of-pocket expenses and the value of their time reasonably incurred to remedy or mitigate the effects of the attack,” the suit says, alleging violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The lawsuit states that DCH hospitals were temporarily shut down, except to new patients in critical condition, on October 1, 2019 due to an attack that held computers containing patient files and medical records hostage in exchange for a fee. Information compromised during the incident included Social Security numbers, health insurance data, demographics, and other HIPAA-protected details related to patients’ medical histories, the suit states. The lawsuit charges that affected data was “encrypted and locked away” by the culprit, who used a virus called “Ryuk” linked to “a hacker group in Russia.”
The case adds the ransomware attack also caused ambulances in the region to be redirected to other hospitals, required outpatients to reschedule appointments and necessitated the movement of stabilized patients to other facilities.
On October 5, 2019, DCH paid the hackers’ ransom in order to obtain an encryption key to access the compromised records, the lawsuit continues, and by October 10 the hospital reported that normal operations had resumed.
In addition to alleging DCH and its employees failed to properly monitor and safeguard the hospital’s computer systems to prevent patient information from being stolen, the lawsuit decries the defendant for failing to provide timely and adequate notice to those affected. All told, the plaintiffs say DCH “breached its obligations” to patients, who the suit says are now at a heightened risk of fraud and identity theft.