Daniel Elliott, a Georgia resident and patient of St. Joseph’s/Candler (SJ/C) Hospital Health System, recently filed a class-action lawsuit on behalf of 1.4 million people who believe they may have had their personal information compromised in the ransomware attack against St. Joseph’s/Candler hospital IT system discovered earlier this year.  The information that may have been compromised, according to a letter issued by the hospital at the time of the attack, includes “name in combination with address, date of birth, Social Security number, driver’s license number, patient account number, billing account number, financial information, health insurance plan member ID, medical record number, dates of service, provider names, and medical and clinical treatment information regarding care you received from SJ/C.”At the time of the data breach, hospital CEO and President Paul Hinchey announced, “We’re fully operational right now.  There are a few hotspots where we have to change out computers.  But in terms of the hospital, we’re back electronically, which was a big sea change for us, because we went from a fully integrated system to a paper system, and we haven’t done that in 25 years.”

Photo by Josh Sorenson from Pexels

Hinchey added that the hospital system continues to take measures ward off future attacks, saying, “These entities, they reinvent themselves at warp speed.  So, we’ve hired several national companies, one who does all the security for Amazon, and we put in all of these firewalls to make sure we mitigate that as best we can from ever happening again because once is enough.”The health care system is also offering patients a one-year membership to Experian’s IdentityWorks, which helps ensure sensitive information is protected moving forward.Elliott’s lawsuit has alleged, “SJ/C, the region’s largest health care system, violated its privacy policy and acted negligently when it failed to adequately secure patients’ information and take preventive measures to avoid the ransomware attack and data breach, which was detected on June 17.  Subsequent investigations revealed that the unauthorized party gained access to the hospital system’s IT network between Dec. 18, 2020, and June 17, 2021.”  It continues, “Patients suffered an increased risk of identity theft and medical identity theft, and have been forced to expend, and must expend in the future, to monitor their financial accounts, health insurance accounts, and credit files as a result of the data breach.”Elliot claims the hospital neglected to “design, adopt, implement, control, direct, oversee, manage, monitor and audit appropriate data security process, controls, policies, procedures, protocols and software and hardware systems” to protect patients’ information.Soumitra Bhuyan, assistant professor at the Edward J. Bloustein School of Planning and Public Policy at Rutgers University, said, “On average it takes about 96 days to identify the data breach. In some cases, it can take longer.  There are hospitals that did not identify that a breach happened for a year.”  This means, in some cases, a host of information can be stolen long before an entity even realizes there is an issue.The class-action seeks a jury trial, an unspecified amount of monetary relief for punitive damages, restitution and disgorgement, and payment of attorney fees.

Sources:

Class-action lawsuit filed against St. Joseph’s/Candler after ransomware attackSt. Joseph's/Candler ransomware investigation ongoing, patients offered identity protection