NASHVILLE, Tenn. (WKRN) — A patient of Ascension Saint Thomas Hospital has filed a class action lawsuit against the hospital group over what she says is the unauthorized breach of medical information stemming from a cyberattack earlier this month.
In the complaint, the patient says the hospital "failed to undertake adequate measures to safeguard the private information" of its patients, "including failing to implement industry standards for data security and failing to properly train employees on cybersecurity protocols," which resulted in the May 8 breach of patient data.
According to the hospital, officials noticed "unusual activity on select technology network systems" and determined it to be a "cybersecurity event." Later on, officials identified the incident as a "ransomware attack," according to the lawsuit.
Despite promising to notify patients if their personal identifying information was affected in the attack, the complaint says the hospital group has "obfuscated key details" of the data breach, including "failing to disclose to affected patients whether or not their information was unauthorizedly disclosed." The suit also claims the hospital has not revealed the identity of the ransomware criminal, if they paid the ransom, if the cybercriminals have said the private information was taken and "other pertinent details necessary for affected patients to take appropriate measures to protect themselves from the Data Breach."
The patient believes their personal identifying information—including names, birth dates, Social Security numbers, medical history, health insurance information and payment information—was illegally obtained in the cyber attack, citing media reports stating as such in the complaint.
Further, the lawsuit claims Ascension failed to take "necessary precautions required to safeguard and protect" their information, putting their patients at risk of identity theft, financial fraud and "other harms."
They claim Ascension failed to meet minimum cybersecurity standards recommended by the Center for Internet's Security's Critical Security Controls, which contributed to the hospital group's vulnerability in the ransomware attack.
They are asking the Court to certify the class action lawsuit, allowing many others to join in the lawsuit, as well as to award restitution and damages to each member of the certified class. They also seek a declaratory judgment and injunctive relief as necessary to protect their interests.