CommonSpirit Facing 2 Proposed Class Actions Post-BreachLawsuits: Hospital Chain Failed to Protect Data in Ransomware Compromise
CommonSpirit negligently failed to protect sensitive health information, resulting in a data compromise affecting more than 623,000 patients - and perhaps many more, allege plaintiffs in two proposed federal class action lawsuits filed in the aftermath of the hospital chain's 2022 ransomware attack.
The lawsuits - one filed on Jan. 13, and the other on Dec. 29, 2022 - are each being heard in the U.S. District Court for the Northern District of Illinois, where Chicago-based CommonSpirit has its headquarters (see: CommonSpirit Ransomware Breach Affects About 624,000 So Far).
While both lawsuits make similar claims against CommonSpirit, one of the complaints alleges that although CommonSpirit has reported that only its Virginia Mason Franciscan Health entities in Washington state were affected by the data breach, the actual number of affected individuals could be in the tens of millions.
CommonSpirit, a nonprofit Catholic chain of 142 hospitals and nearly 2,200 care sites across 21 states, is the product of a 2019 merger between Catholic Health Initiatives and Dignity Health. CommonSpirit, which acquired Virginia Mason Franciscan Health in 2021, is at least the fourth-largest healthcare organization in the United States.
Beyond the entities that CommonSpirit reported as having been affected by the incident, "other medical systems in Defendant's system have experienced significant disruptions in their operations which included doctors giving patients wrong doses of medication and patients not being able to schedule appointments," the lawsuit filed by plaintiff Jose Antonio Koch alleges.
The actual number of victims is potentially 20 million individuals, the complaint alleges.
CommonSpirit reported the hacking incident to the Department of Health and Human Services' Office for Civil Rights in December as affecting nearly 624,000.
CommonSpirit has said in public statements that on Oct. 2, 2022, it experienced a ransomware attack that affected some of its systems. Its investigation into the incident determined that the unauthorized third party gained access to CommonSpirit's network between Sept. 16 and Oct. 3, 2022, including certain files containing personal information.
Compromised files contained information pertaining to patients, family members of patients, or caregivers of patients, including name, address, phone numbers, birthdate and a unique ID used internally by the organization.
Both lawsuits allege a variety of failings by CommonSpirit contributed to the ransomware incident, the data breach and the aftermath.
"Even though the intrusion began on or about Sept. 16, 2022, it was not until two and a half months later that CommonSpirit began to notify the authorities and issue notice to affected victims," putting affected individuals at risk for identity theft and fraud, alleges a complaint filed by plaintiff Leeroy Perkins.
The lawsuits allege that CommonSpirit failed to properly safeguard and protect plaintiffs' and class members' private information from unauthorized access, use and disclosure as required by various state and federal regulations, industry practices and common law.
CommonSpirit also failed to establish and implement appropriate administrative, technical and physical safeguards to ensure the security and confidentiality of data against reasonably foreseeable threats, the lawsuits allege.
'Tough Hill to Climb'
The lawsuits will face hurdles as they attempt to gain traction in court.
"Plaintiffs have to show they suffered actual harm to have standing to bring a federal class action. That’s a tough hill to climb, and both lawsuits show lawyers struggling to meet this burden," says regulatory attorney Paul Hales of the Hales Law Group.
Both lawsuits seek relief including damages. The Koch lawsuit also seeks seven years of credit monitoring for plaintiffs and class members as well as an order for CommonSpirit to improve its data security practices.
CommonSpirit declined Information Security Media Group's Tuesday request for comment.