Taylor Regional Hospital Sued Over 2021-2022 Patient Data Breach

New to ClassAction.org? Read our Newswire Disclaimer

Taylor Regional Hospital faces a proposed class action over its alleged failure to reasonably safeguard the sensitive personal and health information of patients whose data was compromised in a cyberattack from November 2021 to January 2022. 

The 58-page lawsuit says patients’ first and last names, Social Security numbers, dates of birth, health insurance information, home addresses, and medical treatment details were stolen by cybercriminals in the months-long breach. Per the suit, Campbellsville, Kentucky-based Taylor Regional Hospital did not begin to notify victims until April of this year, five months after the data breach began. 

The suit claims the information was maintained by Taylor Regional “in a condition vulnerable to cyberattacks,” including through ransomware. 

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here. 

According to the complaint, victims of the Taylor Regional Hospital data breach will face an increased risk of identity theft and fraud, possibly for the rest of their lives. To date, there has been “no assurance offered by Taylor Regional that all impacted Private Information or copies thereof have been recovered or destroyed,” the suit says. 

The plaintiff, a Liberty, Kentucky resident, was treated at Taylor Regional for a work-related injury, the case explains. According to the complaint, the man was unable to secure employment benefits earlier this year because another party, using his stolen information, was “able to fraudulently obtain” unemployment benefits in his name.

“Plaintiff greatly values his privacy especially while receiving medical services and would not have paid the amount that he did to receive medical services had he known that Taylor Regional would negligently disclose his Private Information as it did,” the filing says. 

The suit shares that Taylor Regional discovered “unauthorized activity” on its computer systems in January and first provided notice to victims in April. In its notice, the hospital offered no explanation for the delay between its initial discovery of the incident and when it notified affected patients, the case says. This delay likely caused victims to “suffer[] harm they otherwise could have avoided had a timely disclosure been made,” the lawsuit contends. 

Further, the hospital’s notice itself was “woefully deficient” in that it lacked basic details about the cyberattack, including how Taylor Regional’s networks were accessed, whether the information was encrypted or otherwise protected, how the hospital learned of the breach, and how many patients were affected, among other specifics, the lawsuit states. 

To date, Taylor Regional has offered data breach victims no help as far as credit monitoring services, and instead “simply encourag[ed] [victims] to take on the task of monitoring their credit themselves,” the suit says. 

The lawsuit claims Taylor Regional’s failure to implement adequate cybersecurity measures is “especially egregious” given that the healthcare industry has, especially recently, been the target of scammers and hackers. Specifically, Taylor Regional failed to have in place a variety of anti-ransomware training tools, perform regular training, and “[c]raft and tailor different approaches to different employees” based on their knowledge of cybersecurity, the suit states. 

The lawsuit looks to cover all persons in the United States whose private information was compromised as a result of the Taylor Regional data breach discovered by the hospital around January 2022. 

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.