MA Hospital Faces Class Action Suit After Paying Ransomware Attackers

September 08, 2021 - Massachusetts-based Sturdy Memorial Hospital is facing a class action lawsuit after a ransomware attack in February that impacted over 35,000 individuals and put personally identifiable information (PII) in jeopardy.

Local news outlet The Sun Chronicle reported that a class action lawsuit was filed in Plymouth Superior Court on August 26, claiming that the provider failed to safeguard its data against ransomware attacks.

In addition to impacting Sturdy Memorial Hospital’s data, the incident also impacted Harbor Medical Associates, South Shore Medical Center, and South Shore Physician Hospital Organization, all of which had partnered with Sturdy for care coordination.

In Sturdy Memorial Hospital’s official statement to patients on May 28, the provider admitted to paying a ransom in exchange for the safe return of patient data.

“Through our investigation, we determined that an unauthorized party gained access to some of our systems during the morning of February 9, 2021,” the statement explained.

“Our systems were secured later that same day. In exchange for a ransom payment, we obtained assurances that the information acquired would not be further distributed and that it had been destroyed.”

The plaintiffs alleged in the lawsuit that the ransomware payment did not guarantee that their information is actually secured.

In addition, the FBI and the Cybersecurity and Infrastructure Agency (CISA) both strongly discourage entities from paying a ransom in response to a cyberattack. 

“Paying a ransom doesn’t guarantee you or your organization will get any data back,” the FBI’s website asserts.

“It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity.”

The stolen information included names, contact information, routing numbers, financial account numbers, Medicare claim numbers, medical history, and Social Security numbers. The hospital emphasized that its EHR system was not involved in the breach.

The suit claims that the attack resulted in damages exceeding $50,000, and the primary plaintiff’s attorneys requested a trial by jury.

The hospital provided two free years of credit monitoring and encouraged individuals to review their financial statements regularly.

However, the plaintiffs argued that two free years of credit monitoring is insufficient and does not properly compensate patients for the potential consequences of the ransomware attack, which could last for much longer than two years.

Lawsuits, data recovery, and additional cybersecurity investments are just some of the ramifications of a healthcare ransomware attack. A recent report from IBM and Ponemon Institute estimated that healthcare data breaches cost on average $9.23 million per incident.

CISA recently released a fact sheet that outlined steps organizations can take to protect PII and respond to a data breach. The fact sheet emphasized that organizations should never pay a ransom to cybercriminals and urged entities with sensitive data to ensure that they have encrypted offline data backups and an incident response plan.

It is also crucial that organizations ensure that data is disposed of properly and report data breaches to state and federal agencies.