Memorial Hospital System (MHS) faces a proposed class action over a data breach that reportedly compromised the personal and health information of over 216,000 patients last summer.
The 51-page lawsuit claims the defendant, a network of hospitals, emergency departments and outpatient centers in Ohio, was negligent in maintaining patients’ private information and failed to take the necessary steps to secure the data from unauthorized access. As a result, an unauthorized actor gained entry to the hospital system’s network between July 10 and August 15, 2021, and was able to access files containing the private information of roughly 216,478 patients, the lawsuit alleges.
The information compromised in the breach included patient names, Social Security numbers, medical and treatment information, health insurance details and other protected health data, according to the complaint.
The case alleges defendant Marietta Area Health Care, Inc., who does business as Memorial Hospital System, maintained patient data “in a reckless manner” and left the information “in a condition vulnerable to cyberattack.” Per the lawsuit, the defendant violated both its own promise to keep patients’ data safe and the Health Insurance Portability and Accountability Act (HIPAA), and has subjected data breach victims to an increased risk of identity theft and fraud.
“Plaintiff’s and Class Members’ identities are now at risk because of Defendant’s negligent conduct since the Private Information that MHS collected and maintained is now in the hands of data thieves,” the complaint says.
The lawsuit claims the defendant—whose health system includes Marietta Memorial Hospital; Sistersville General Hospital; Selby General Hospital; Physicians Care Express; Marietta Health Care Physicians, Inc.; Memorial Health Foundation; Marietta Occupational Health Partners; and Marietta Home Health Services & Hospice—discovered on August 14, 2021 that malware had been installed on some of its servers. A subsequent investigation revealed that an unauthorized actor had been able to access MHS’s network for almost an entire month, encrypt patient data, and “hold hostage” the defendant’s system, the suit relays.
The lawsuit alleges that MHS waited over five months—until mid-January 2022—to notify patients whose information was compromised. According to the case, this delay violated the Ohio Security Breach Notification Act, which requires a company to notify victims of a data breach “as quickly as possible” and no later than 45 days after the incident is discovered.
Moreover, the suit claims that because the hackers were able to acquire patients’ data, affected individuals now face an increased risk of identity theft and fraud “and must deal with that threat forever.”
Per the case, MHS failed to comply with cybersecurity guidelines recommended by the Federal Trade Commission, and implement industry-standard data security practices:
“As the result of antivirus and malware protection software in dire need of security updating, inadequate procedures for handling phishing emails or emails containing viruses or other malignant computer code, and other failures to maintain its networks in configuration that would protect against cyberattacks like the ransomware intrusion here, Defendant negligently and unlawfully failed to safeguard Plaintiff’s and Class Members’ Private Information by allowing cyberthieves to access, and hold hostage, MHS’s IT systems, and which contained unsecured and unencrypted Private Information.”
The case looks to represent anyone who utilized MHS’s services and whose private information was maintained on the MHS system that was compromised in the data breach, and who was sent a notice of the data breach.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.
Camp Lejeune residents now have the opportunity to claim compensation for harm suffered from contaminated water.