Keystone Health Responsible for 2022 Data Breach, Class Action Alleges

New to ClassAction.org? Read our Newswire Disclaimer

Keystone Health has been hit with a proposed class action that claims the healthcare provider failed to prevent a “foreseeable” data breach in 2022 that compromised its patients’ personal and health information.

The 58-page lawsuit alleges Keystone Health’s failure to implement adequate cybersecurity measures allowed cybercriminals to access its systems between July 28 and August 19 of this year. The breach exposed consumers’ names, Social Security numbers, dates of birth, health insurance information, personal addresses, and sensitive patient medical treatment details, the filing relays.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

The complaint alleges that Keystone Health detected the cyberattack on August 19 but waited two months before notifying affected individuals on October 14. The plaintiff, a Pennsylvania patient who gave birth to her son in a hospital operated by Keystone Health, claims to have  received letters stating that hackers gained access to her and her son’s private information.

According to the complaint, Keystone Health’s notice of the incident was short on specifics.

Additionally, Keystone Health has failed to disclose why it waited to alert patients after detecting the data breach, and if all the exposed data, and copies of the data, have been recovered or destroyed, the case contends.

According to the suit, the healthcare provider has offered the plaintiff and affected individuals 12 months of Equifax credit monitoring, which is “woefully inadequate” given that patients will risk falling victim to identity theft crimes for years to come. 

The complaint alleges that Keystone Health “intentionally, willfully, recklessly, or negligently” left consumers’ personal information vulnerable and unencrypted, despite repeated warnings to safeguard personal and health information and highly publicized ransomware attacks within the healthcare industry.

Further, the filing contends that Keystone Health “could and should have” implemented security measures recommended by the U.S. Cybersecurity & Infrastructure Security Agency or the Microsoft Threat Protection Intelligence Team. 

Per the case, Keystone Health has overlooked minimum industry standards for cybersecurity and failed to comply with Federal Trade Commission guidelines for data security. The healthcare provider has also violated its obligations under the Health Insurance Portability and Accountability Act (HIPAA) and breached its privacy policy to safeguard patients’ information, the suit alleges.

The lawsuit looks to represent anyone in the United States whose private information was compromised during the Keystone Health data breach discovered in August 2022.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.