Patient files class action lawsuit after hospital’s IT system is compromised.
Daniel Elliott, a Georgia resident and patient of St. Joseph’s/Candler (SJ/C) Hospital Health System, recently filed a class-action lawsuit on behalf of 1.4 million people who believe they may have had their personal information compromised in the ransomware attack against St. Joseph’s/Candler hospital IT system discovered earlier this year. The information that may have been compromised, according to a letter issued by the hospital at the time of the attack, includes “name in combination with address, date of birth, Social Security number, driver’s license number, patient account number, billing account number, financial information, health insurance plan member ID, medical record number, dates of service, provider names, and medical and clinical treatment information regarding care you received from SJ/C.”
At the time of the data breach, hospital CEO and President Paul Hinchey announced, “We’re fully operational right now. There are a few hotspots where we have to change out computers. But in terms of the hospital, we’re back electronically, which was a big sea change for us, because we went from a fully integrated system to a paper system, and we haven’t done that in 25 years.”
Hinchey added that the hospital system continues to take measures ward off future attacks, saying, “These entities, they reinvent themselves at warp speed. So, we’ve hired several national companies, one who does all the security for Amazon, and we put in all of these firewalls to make sure we mitigate that as best we can from ever happening again because once is enough.”
The health care system is also offering patients a one-year membership to Experian’s IdentityWorks, which helps ensure sensitive information is protected moving forward.
Elliot claims the hospital neglected to “design, adopt, implement, control, direct, oversee, manage, monitor and audit appropriate data security process, controls, policies, procedures, protocols and software and hardware systems” to protect patients’ information.
Soumitra Bhuyan, assistant professor at the Edward J. Bloustein School of Planning and Public Policy at Rutgers University, said, “On average it takes about 96 days to identify the data breach. In some cases, it can take longer. There are hospitals that did not identify that a breach happened for a year.” This means, in some cases, a host of information can be stolen long before an entity even realizes there is an issue.
The class-action seeks a jury trial, an unspecified amount of monetary relief for punitive damages, restitution and disgorgement, and payment of attorney fees.