Cybersecurity News

Hackensack Meridian Faces Breach Lawsuit After Ransomware Attack

Two patients have filed a lawsuit against Hackensack Meridian Health in New Jersey, after a ransomware attack forced the provider into EHR downtime for two days in December.

healthcare data breach lawsuit patient privacy ransomware cyberattack risk management

By Jessica Davis

- Hackensack Meridian Health, one of the largest health systems in New Jersey, is facing a class-action lawsuit, following a ransomware attack that drove the provider offline for several days in December.

The IT team at HMH quickly identified the ransomware infection in mid-December and contacted law enforcement, regulators, and a third-party cybersecurity firm. Initially, the attack was reported as technical issues to protect the investigation. The ransomware impacted all 17 hospitals.

But a few days later, HMH confirmed the service interruptions were caused by ransomware. The network was forced offline for two days, and non-emergency medical procedures were cancelled as providers were unable to access the electronic health record system and other computers.

Clinicians were forced into downtime procedures, leaning on pen and paper to allow patient care to continue. HMH reportedly paid an undisclosed ransom to avoid further care disruptions, but the system remained offline for several more days as officials worked to restore access to all computer systems.

In response, two patients have filed a proposed class-action lawsuit in a district court in Newark given the “reckless manner” that HMH maintained its network to protect patient information. Currently, the lawsuit claims HMH has not notified patients or the Department of Health and Human Services about the attack. The security event is not yet listed on the HHS office for Civil Rights’ breach reporting tool.

“The private Information was maintained on HMH’s computer network in a condition vulnerable to cyberattacks of the type that cause actual disruption to [patients’] medical care and treatment,” according to the suit.

The patients also claim their data was “seized and held hostage by computer hackers for ‘ransom’, and ultimately disclosed to other unknown thieves.” Further, HMH was aware of the risk and failed to take the necessary steps to secure private data, leaving the “property in a dangerous condition.”

Further, the lawsuit argues that HMH failed to properly monitor its network and systems that stored sensitive data. And if they had, the intrusion would have been detected earlier.

The suit also claims that clinicians were unable to reschedule non-emergency surgeries, while the computer system was unable to deliver lab results or provide patients with medication information.

“Because of the ransomware attack, [patients] had their medical care and treatment as well as their daily lives disrupted,” according to the lawsuit. “As a consequence of the ransomware locking down the medical records of [patients], they had to, among other things, forego medical care and treatment or had to seek alternative care and treatment.”

“[Patients’] identities are now at risk because of [HMH]’s negligent conduct since the private information that HMH collected and maintained is now in the hands of data thieves,” it continued. “[Patients] have been exposed to a heightened and imminent risk of fraud and identity theft. ... [and] must now and in the future closely monitor their financial accounts to guard against identity theft.”

The breach victims are seeking financial compensation, reimbursement of out-of-pocket costs related to the incident, and injunctive relief that would include requiring HMH to improve its data security systems, future annual audits, and adequate credit monitoring services.

As ransomware attacks pummeled the healthcare sector during the last quarter of 2019, there have been a steady stream of patients filing lawsuits against those providers to recoup potential losses.

In January and December alone, LifeLabs was hit with several lawsuits over a data breach impacting 15 million patients, the Supreme Court of Georgia revived a lawsuit against Athens Orthopedic Clinic, Health Quest and Tidelands Health were hit with separate lawsuits for their breaches, and Solara Medical was sued by its breach victims, as well.