CommonSpirit Health Facing Class Action Lawsuit over Ransomware Attack and Data Breach
The Chicago, IL-based health system, CommonSpirit Health, is facing a class action lawsuit over its October 2022 ransomware attack. Malicious actors gained access to its IT systems on September 16, 2022, and deployed ransomware on October 2, 2022. The attack forced the shutdown of its electronic medical record system and caused considerable disruption over several weeks, with the catholic health system having to cancel many appointments. The forensic investigation determined the protected health information of patients of Virginia Mason Franciscan Health was potentially compromised in the attack. Virginia Mason Franciscan Health operates St. Anne Hospital, St. Elizabeth Hospital, St. Anthony Hospital, St. Clare Hospital, St. Francis Hospital, St. Joseph Hospital, and St. Michael Medical Center. CommonSpirit Health said the information compromised in the attack was limited to names, addresses, phone numbers, dates of birth, and unique ID numbers, and reported the data breach to the HHS’ Office for Civil Rights as affecting 623,774 individuals.
In late December, a lawsuit was filed in the District Court for the Northern District of Illinois on behalf of Virginia Mason Franciscan Health patient, Leeroy Perkins, and other similarly affected patients. The lawsuit alleges CommonSpirit Health was negligent for failing to implement and follow basic cybersecurity procedures and industry cybersecurity best practices which allowed unauthorized individuals to gain access to patients’ sensitive data, placing affected patients at risk of identity theft and fraud.
Perkins claims to have had to spend valuable time monitoring his accounts and changing passwords, and now faces an increased risk of identity theft and fraud as a result of the data breach. He also claims costs will be incurred paying for credit monitoring and identity theft protection for years to come, and his credit score is likely to be lowered. The lawsuit seeks class action status, damages exceeding $5 million, and injunctive relief, including CommonSpirit Health implementing more robust cybersecurity measures to protect patient data.
It is now common for lawsuits to be filed against healthcare providers that have suffered ransomware and other cyberattacks, especially when the data breaches affect many thousands of patients; however, in order for the lawsuits to succeed, the plaintiffs must demonstrate they have been harmed as a result of a data breach. Lawsuits often fail when they are based solely on an elevated risk of identity theft and fraud.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
In 2021, a lawsuit filed against Brandywine Urology Consultants was dismissed by a Delaware Superior Court judge when the plaintiffs failed to provide sufficient evidence that they had been harmed by the breach. “A plaintiff alleging that it will suffer future injuries from a defendant’s allegedly improper conduct must show that such injuries are certainly impending,” and must demonstrate “a likelihood that the injury will be redressed by a favorable decision,” said the Honorable Mary M. Johnston in the ruling dismissing the lawsuit. The plaintiffs claimed to have incurred expenses as a result of the breach, but the judge ruled that costs incurred in response to a speculative threat are not sufficient to confer standing.
