Patients File Lawsuits in Wake of Healthcare Data Breaches

November 29, 2021 - Healthcare data breaches may result in the exposure of protected health information (PHI) and personally identifiable information (PII), and victims are often advised to remain vigilant against suspicious account activity and consistently monitor their credit reports.

Although data breaches can be a cause for concern for impacted individuals, it can be difficult to prove financial harm or justify concern as a reason to seek damages.

Nonetheless, many hospitals face class-action lawsuits after suffering a ransomware attack, in which former patients may claim that the hospital or health system should have implemented proper safeguards to prevent the breach from happening.

UF Health Requests Dismissal of Patient Lawsuit

UF Health Central Florida filed a motion to dismiss a lawsuit that alleged that the health system was negligent and failed to prevent a May 31 ransomware attack that led to nearly one month of EHR downtime and impacted over 700,000 individuals, according to Villages-News.

“Plaintiff did not file the lawsuit because, as a result of the Ransomware Attack, someone obtained and fraudulently used or even attempted to use her personal information. Nor did she file the lawsuit because the Ransomware Attack caused her to incur any out-of-pocket costs. She filed the lawsuit because she was notified of the Ransomware Attack; nothing more,” the motion explained.

READ MORE: CISA Warns Critical Infrastructure of Holiday Ransomware Risks

The original suit claimed that the plaintiff, former UF Health patient Chrystal Homes, suffered “lost time, annoyance, interference, and inconvenience” because of the cyberattack.

Holmes alleged that UF Health failed to implement known industry safeguards and exercise reasonable care in protecting patient protected health information (PHI).

“Under Florida law, notification of a Ransomware Attack does not allow an individual, like Plaintiff here, to file a lawsuit. More is required,” the motion reasoned.

“For each of her claims—negligence, breach of contract, and breach of fiduciary duty—Plaintiff must allege that she suffered a cognizable injury caused by the Ransomware Attack. She has not. For that reason alone, her claims must be dismissed.”

Eskenazi Health Faces Lawsuit After Data Breach Impacting 1.5 Million

Patient Terri Ruehl Young is seeking class-action status in a lawsuit against Indiana-based Eskenazi Health, alleging that the hospital’s ransomware attack resulted in fraudulent charges on her credit card as well as wasted money and time.

READ MORE: Top Healthcare Cybersecurity Challenges, How to Overcome Them

Eskenazi Health discovered a cyberattack in August that impacted more than 1.5 million individuals, making it one of the largest healthcare data breaches of 2021 to date. The hospital initially did not know if any patient information was used maliciously, but alerted patients on October 1 that bad actors had in fact stolen and posted patient information on the dark web and had access to the hospital’s network since May.  

Young alleged that she discovered a $370 fraudulent charge on the credit card she used to pay her hospital bill and found that someone had attempted to change her name on an Equifax credit report, according to the Indianapolis Business Journal.

Young is seeking class-action status, claiming that the breach resulted in lost money and time for patients who had entrusted the health system with their personal information.

On November 11, months after the initial attack, Eskenazi began sending letters via mail to the impacted individuals.

Patient Denied Class-Action Status Against West Virginia Health System

Class-action status was lifted in a lawsuit against West Virginia University Health Systems because the patient, Eugene Roman, lacked sufficient standing, court documents revealed. Roman filed a lawsuit due to a 2016 data breach that impacted over 7,000 individuals.

READ MORE: Millions of Patients Receive Healthcare Data Breach Notifications

Angela Roberts, a former employee at a West Virginia University Health Systems-affiliated medical center, admitted to inappropriately accessing patient data and stealing it. Roberts would then give the information to her boyfriend, Wayne Roberts, with the intention to commit identity theft and produce fake Social Security cards.

In order for a lawsuit to receive class-action status, “at least one named plaintiff must have standing with respect to each claim asserted, and the burden of establishing standing is on the plaintiff(s),” the court documents explained.

“Hospitals argue that the class representatives lack standing because they have suffered no injury-in-fact from the employee’s legitimate access to their confidential records,” the document continued.

“Hospitals additionally argue that certain prerequisites to class certification were not met in this case. We address this issue only as to Mr. Roman and the subclass of 109 individuals he represents and find that the circuit court failed to provide a thorough analysis of the typicality prerequisite in light of Mr. Roman’s circumstances and claims.”

The court subsequently lifted the case’s class-action status while maintaining that Roberts had committed the crime.