Hackensack Meridian Health (HMH) faces a proposed class action lawsuit over a December 2019 ransomware attack that two plaintiffs allege was the result of the “reckless manner” in which the New Jersey hospital network maintained patients’ private information. To date, the lawsuit says, HMH has not notified patients of the ransomware incident, nor reported the breach to the Department of Health and Human Services.
Filed in Newark district court, the 45-page complaint relays that Hackensack Meridian Health experienced on December 2, 2019 an “IT disruption” that was determined to be a targeted ransomware attack, a type of cyber incident in which malicious software blocks an entity’s access to its computer systems, usually by encryption, until a ransom is paid. According to the lawsuit, the attack crippled the computer network used by the defendant’s 17 hospitals for two days, leaving facilities under the HMH umbrella unable to reschedule non-emergency surgeries and doctors and nurses locked out of patient records. Citing a spokeswoman for the Health Professionals and Allied Employees union, the case says HMH facilities during the attack couldn’t so much as rely on computers for basic tasks, such as delivering lab results or providing patients with medication information.
After conducting an investigation with an outside cybersecurity firm, HMH, the suit says, announced on December 13 that its network had in fact been hit by a ransomware attack. Those responsible had gained access to portions of the defendant’s computer systems and made certain files unreadable via encryption, holding hostage “a critical portion” of HMH’s network containing patient records, the case relays. The plaintiffs allege that proposed class members’ information was stolen and subsequently sold as a result of the attack.
Due to the ransomware attack, proposed class members suffered what the case describes as “ascertainable losses” ranging from a disruption in medical services to out-of-pocket expenses to time spent remedying or mitigating any effects of the incident. Patient information allegedly compromised during the incident included names, demographic details, dates of birth, Social Security and driver’s license numbers, employment data and medical information protected by the Health Insurance Portability and Accountability Act of 1996—HIPAA.
The lawsuit alleges HMH maintained patient information in its systems “in a condition vulnerable to cyberattacks” that generally disrupt consumers’ medical care. According to the complaint, the potential for a ransomware attack was a “known risk” to HMH, thus putting the company on notice that patients’ information was in danger of being compromised.
“Had HMH properly monitored its property, it would have discovered the intrusion sooner,” the case says, adding that proposed class members now face a heightened risk of identity theft and fraud.
The lawsuit looks to represent a class of those who utilized HMH’s services and whose private information was stored in the company’s computer system that was compromised in the December 2019 ransomware attack.
The complaint can be read below.
Want class action news sent to your inbox? Sign up for ClassAction.org's newsletter here.