Tenet Healthcare, Baptist Health Face Healthcare Data Breach Lawsuit

July 14, 2022 - Tenet Healthcare and affiliate Baptist Health System are facing a healthcare data breach lawsuit relating to a cybersecurity incident that occurred in April 2022 and affected approximately 1.2 million patients, according to The Dallas Morning News.

Plaintiff Troy Contreras filed the lawsuit in Dallas County on July 5 and is seeking class-action status and more than $1 million in damages.

As previously reported, Texas-based Tenet Healthcare affiliates Baptist Medical Center and Resolute Health Hospital informed patients of a data security incident that it discovered on April 20, 2022.

An investigation revealed that an unauthorized party potentially infected the hospital network with malicious code and was able to remove some data from the network between March 3 and April 24.

The information involved in the incident included names, Social Security numbers, health insurance information, medical record numbers, dates of service, provider and facility names, addresses, birth dates, reason for visit, procedure information, account or claim status, and billing and diagnostic codes.

Tenet Healthcare and its affiliates appeared to have notified impacted individuals of the breach within the HIPAA-required 60-day timeframe.

The lawsuit alleged that Tenet Healthcare was negligent and failed to implement proper technical safeguards to prevent a security incident. Specifically, the plaintiff argued that Tenet Healthcare and its affiliates were not in compliance with Federal Trade Commission (FTC) guidelines.

The plaintiff also alleged that he spent and will continue to spend a significant amount of time protecting his personal data and preventing it from being misused. The lawsuit did not cite any actual misuse of the plaintiff’s data.

As exemplified in the Supreme Court’s June 2021 ruling in Ramirez v. TransUnion, data breach victims must demonstrate actual injury and prove that the defendant’s conduct caused the damage to have Article III standing in a data breach lawsuit. The ruling signified a significant shift in how data breaches are handled in court.

A recent Baker Hostetler report observed an uptick in duplicative data breach lawsuits, often resulting in steep defense and settlement costs.

BakerHostetler analyzed more than 1,200 data security incidents from 2021 that its Digital Assets and Data Management Practice Group members helped clients manage. The incidents spanned a variety of sectors, but the results showed that healthcare was the most impacted industry, with 23 percent of the analyzed incidents affecting the sector.

The report revealed that 23 of the incidents resulted in one or more lawsuits. More than 58 lawsuits stemmed from those 23 incidents alone. What’s more, 43 of the more than 58 lawsuits were filed against healthcare organizations specifically.

As healthcare data breaches continue, data breach lawsuits are following suit.