in Newswire Published on February 3, 2022

Memorial Hospital System Facing Class Action Over Summer 2021 Data Breach [UPDATE]

by Erin Shaak

Last Updated on June 13, 2023

View Comments

McCumbers v. Marietta Area Health Care, Inc.

Filed: January 27, 2022 § 2:22-cv-00385

Read Complaint

Memorial Hospital System faces a lawsuit over a data breach that reportedly compromised the personal and health information of over 216,000 patients last summer.

Defendant(s)

Marietta Area Health Care, Inc. Memorial Hospital System

Law(s)

Health Insurance Portability and Accountability Act

State(s)

Ohio

Categories

Privacy Data Breach

June 6, 2023 – Memorial Hospital System Data Breach Lawsuit Settled for $1.75 Million

Memorial Hospital System has agreed to pay $1.75 million to settle the proposed class action detailed on this page, which was consolidated with similar lawsuits on March 30, 2022.

Don’t miss out on settlement news like this. Sign up for ClassAction.org’s free weekly newsletter here.

The deal, once approved by a judge, would cover 216,478 current and former patients who were sent a notice letter of the MHS data breach that occurred between July 10 and August 15, 2021, according to a motion for preliminary approval submitted to the court on May 16, 2023.

Class members who submit a claim with documentation of out-of-pocket losses “reasonably traceable” to the data breach can be reimbursed up to $5,000, the proposed settlement says. Eligible individuals may also submit a claim to receive $25 for every hour spent resolving issues attributable to the data breach, with a cap of $100. No documentation is required to collect lost-time claims.

In addition to these benefits, anyone covered by the settlement can also submit a claim for a $50 cash payment. This amount may be increased or decreased pro rata, or proportionally, depending on how much of the settlement fund is left after the distribution of the out-of-pocket and lost-time benefits, administrative fees, attorneys’ fees and expenses.

Data breach victims covered by the proposed deal are expected to receive direct notice of the settlement via email or mail within 30 days of preliminary approval. Notice recipients can file a claim when the official settlement website—MHSDataSettlement.com—goes live.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.

Memorial Hospital System (MHS) faces a proposed class action over a data breach that reportedly compromised the personal and health information of over 216,000 patients last summer.

The 51-page lawsuit claims the defendant, a network of hospitals, emergency departments and outpatient centers in Ohio, was negligent in maintaining patients’ private information and failed to take the necessary steps to secure the data from unauthorized access. As a result, an unauthorized actor gained entry to the hospital system’s network between July 10 and August 15, 2021, and was able to access files containing the private information of roughly 216,478 patients, the lawsuit alleges.

The information compromised in the breach included patient names, Social Security numbers, medical and treatment information, health insurance details and other protected health data, according to the complaint.

The case alleges defendant Marietta Area Health Care, Inc., who does business as Memorial Hospital System, maintained patient data “in a reckless manner” and left the information “in a condition vulnerable to cyberattack.” Per the lawsuit, the defendant violated both its own promise to keep patients’ data safe and the Health Insurance Portability and Accountability Act (HIPAA), and has subjected data breach victims to an increased risk of identity theft and fraud.

“Plaintiff’s and Class Members’ identities are now at risk because of Defendant’s negligent conduct since the Private Information that MHS collected and maintained is now in the hands of data thieves,” the complaint says.

The lawsuit claims the defendant—whose health system includes Marietta Memorial Hospital; Sistersville General Hospital; Selby General Hospital; Physicians Care Express; Marietta Health Care Physicians, Inc.; Memorial Health Foundation; Marietta Occupational Health Partners; and Marietta Home Health Services & Hospice—discovered on August 14, 2021 that malware had been installed on some of its servers. A subsequent investigation revealed that an unauthorized actor had been able to access MHS’s network for almost an entire month, encrypt patient data, and “hold hostage” the defendant’s system, the suit relays.

The lawsuit alleges that MHS waited over five months—until mid-January 2022—to notify patients whose information was compromised. According to the case, this delay violated the Ohio Security Breach Notification Act, which requires a company to notify victims of a data breach “as quickly as possible” and no later than 45 days after the incident is discovered.

Moreover, the suit claims that because the hackers were able to acquire patients’ data, affected individuals now face an increased risk of identity theft and fraud “and must deal with that threat forever.”

Per the case, MHS failed to comply with cybersecurity guidelines recommended by the Federal Trade Commission, and implement industry-standard data security practices:

“As the result of antivirus and malware protection software in dire need of security updating, inadequate procedures for handling phishing emails or emails containing viruses or other malignant computer code, and other failures to maintain its networks in configuration that would protect against cyberattacks like the ransomware intrusion here, Defendant negligently and unlawfully failed to safeguard Plaintiff’s and Class Members’ Private Information by allowing cyberthieves to access, and hold hostage, MHS’s IT systems, and which contained unsecured and unencrypted Private Information.”

The case looks to represent anyone who utilized MHS’s services and whose private information was maintained on the MHS system that was compromised in the data breach, and who was sent a notice of the data breach. 

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.

Case Spotlight

Video Game Addiction Lawsuits

If your child suffers from video game addiction — including Fortnite addiction or Roblox addiction — you may be able to take legal action. Gamers 18 to 22 may also qualify.

Learn more:Video Game Addiction Lawsuit

Depo-Provera Lawsuits

Anyone who received Depo-Provera or Depo-Provera SubQ injections and has been diagnosed with meningioma, a type of brain tumor, may be able to take legal action.

Read more: Depo-Provera Lawsuit

How Do I Join a Class Action Lawsuit?

Did you know there's usually nothing you need to do to join, sign up for, or add your name to new class action lawsuits when they're initially filed?

Read more here: How Do I Join a Class Action Lawsuit?

ClassAction.org Newsletter

Stay Current

Sign Up For
Our Newsletter

New cases and investigations, settlement deadlines, and news straight to your inbox.

Open Document
Last Updated on June 13, 2023 — 9:16 AM

Erin Shaak

erin@classaction.org

Erin works primarily on ClassAction.org’s newswire, reporting on cases as they happen.

About ClassAction.org

ClassAction.org is a group of online professionals (designers, developers and writers) with years of experience in the legal industry.

Learn More

Before commenting, please review our comment policy.