in Newswire January 7, 2020

Data Breach: DCH Health System Hit with Lawsuit Over October 2019 Ransomware Attack

by Corrado Rizzi

Last Updated on January 7, 2020

View Comments

Daniels et al. v. DCH Healthcare Authority

Filed: December 23, 2019 § 7:19-cv-02086

Read Complaint

A class action case has been filed over a 2019 ransomware attack that compromised the personal data of more than 32,000 DCH Health System patients.

Defendant(s)

DCH Healthcare Authority DCH Health System

Law(s)

State(s)

Alabama

A proposed class action has been filed over an October 2019 ransomware attack on Alabama-based DCH Health System’s facilities that exposed the personal medical information of roughly 32,000 patients. The 41-page lawsuit alleges defendant DCH Healthcare Authority recklessly maintained proposed class members’ data on a computer network that was “vulnerable to cyberattacks,” seizure and being held hostage by hackers.

“As a result of the Ransomware Attack, Plaintiffs and class members suffered ascertainable losses in the form of out-of-pocket expenses and the value of their time reasonably incurred to remedy or mitigate the effects of the attack,” the suit says, alleging violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The lawsuit states that DCH hospitals were temporarily shut down, except to new patients in critical condition, on October 1, 2019 due to an attack that held computers containing patient files and medical records hostage in exchange for a fee. Information compromised during the incident included Social Security numbers, health insurance data, demographics, and other HIPAA-protected details related to patients’ medical histories, the suit states. The lawsuit charges that affected data was “encrypted and locked away” by the culprit, who used a virus called “Ryuk” linked to “a hacker group in Russia.”

The case adds the ransomware attack also caused ambulances in the region to be redirected to other hospitals, required outpatients to reschedule appointments and necessitated the movement of stabilized patients to other facilities. 

On October 5, 2019, DCH paid the hackers’ ransom in order to obtain an encryption key to access the compromised records, the lawsuit continues, and by October 10 the hospital reported that normal operations had resumed. 

In addition to alleging DCH and its employees failed to properly monitor and safeguard the hospital’s computer systems to prevent patient information from being stolen, the lawsuit decries the defendant for failing to provide timely and adequate notice to those affected. All told, the plaintiffs say DCH “breached its obligations” to patients, who the suit says are now at a heightened risk of fraud and identity theft.

This browser does not support PDFs. Please download the PDF to view it: Download PDF.
Open Document
Last Updated on January 7, 2020 — 2:01 PM

Corrado Rizzi

corrado@classaction.org

Corrado Rizzi is the Managing Editor and a writer for ClassAction.org.

About ClassAction.org

ClassAction.org is a group of online professionals (designers, developers and writers) with years of experience in the legal industry.

Learn More

Before commenting, please review our comment policy.