Lawsuit: 'Negligence' Led to Memorial Health System Attack2021 Incident, Reportedly Involving Hive Ransomware, Affected Nearly 216,500
A proposed class action lawsuit has been filed against Ohio-based Memorial Health System in the wake of a ransomware attack last August that reportedly involved the Hive cybercriminal gang, resulting in a health data breach affecting nearly 216,500 individuals.
In court documents filed on Jan. 19 in an Ohio federal court, plaintiff Kathleen Tucker, on behalf of herself and others similarly situated, alleges that Marietta Area Health Care Inc., which does business as Memorial Health System, was negligent in its failure to safeguard the individuals' sensitive personal information from unauthorized access by cybercriminals.
MHS "maintained the private information in a reckless manner. In particular, the Private Information was maintained on Defendant’s computer system and network in a condition vulnerable to cyberattacks," the lawsuit complaint alleges.
"Plaintiff and Class Members’ identities are now at risk because of Defendant’s negligent conduct since the Private Information that Memorial Health collected and maintained is now in the hands of data thieves," the complaint alleges, adding that the incident was linked to a ransomware attack reportedly conducted by Hive.
The complaint alleges that media site Bleeping Computer reported that it had seen evidence suggesting that databases containing Memorial Health System patients' sensitive data had been exfiltrated by Hive in the attack.
Hive maintains a data leak site on the dark web that is used to pressure victims into paying the ransom once it obtains the sensitive information, the lawsuit says.
MHS, based in Marietta, Ohio, operates three hospitals in Ohio and West Virginia and employs over 2,700 employees, including 325 healthcare providers at 64 clinics, according to the entity's website.
On Jan. 12, MHS reported the data breach to the state of Maine's attorney general as affecting nearly 216,500 individuals, including 26 Maine residents.
A breach notification statement posted on MHS' website says the malware incident affected information including name, address, Social Security number, medical/treatment information and health insurance information.
The healthcare entity is offering affected individuals one year of complimentary credit and identity monitoring.
MHS' breach statement on its website says its investigation into the incident determined that in connection with the malware event, an "unauthorized actor" accessed certain systems within its network on or about July 10 through Aug. 15, 2021.
Patient Care Disruptions
The cyberattack forced the organization to suspend user access to applications related to its operations and divert emergency care patients from its hospitals to other area facilities. It also disrupted patient services for several days, including postponement or cancellation of various surgical and radiological appointments.
"Emergency protocols were implemented that forced the medical staff off-line and to work with paper charts until the system could be restored thereby placing patients at risk for medical errors," the lawsuit complaint alleges.
In an Aug. 18 statement posted on its website, MHS noted that following a "negotiated solution," it had begun the process of restoring systems (see: Healthcare Organizations Mopping Up After Cyberattacks).
Among other claims, the lawsuit alleges that MHS failed to comply with HIPAA requirements in safeguarding protected health information and the Federal Trade Commission's guidelines for securing personal information.
Due to MHS' negligence, "cyberthieves" were able to access MHS' computer network and systems containing "unsecured and unencrypted" personally identifiable information, the lawsuit alleges.
"Accordingly, Plaintiff and Class Members now face an increased risk of fraud and identity theft," the complaint alleges.
The lawsuit alleges MHS's "unlawful conduct" includes, among other things, failing to:
- Properly monitor its data security systems for existing intrusions;
- Ensure that its vendors with access to its computer systems and data employed reasonable security procedures;
- Train its employees in the proper handling of emails containing PII and PHI and maintain adequate email security practices;
- Implement technical policies and procedures to allow electronic PHI access only to individuals or software programs granted access rights;
- Implement procedures to review records of information system activity regularly, such as audit logs, access reports and security incident tracking reports;
- Protect against reasonably anticipated threats or hazards to the security or integrity of electronic PHI.
Among other relief, the lawsuit is seeking damages as well as orders for MHS to: pay for three years of credit monitoring services for affected individuals, "utilize appropriate methods and policies" for handing consumer data and disclose "with specificity" the type of PII and PHI compromised in the data breach.
MHS did not immediately respond to Information Security Media Group's request for comment on the lawsuit.
Although proposed class action lawsuits get filed in the aftermath of many large data breaches, some experts note that plaintiffs and class members often face an uphill legal battle.
"Only a few class action lawsuits alleging damages as a result of the unauthorized disclosure of consumers' sensitive personal information have actually progressed to a trial in the federal courts" says privacy attorney David Holtzman of the consulting firm HITprivacy LLC.
"Many of these types of cases fail to establish that they have standing to bring a case - or in other words, meet the burden of alleging the type of harm for which the consumer seeks remedy."
Consumers in a class action lawsuit who can show they have been victims of financial fraud or identity theft, or actual present harm, generally have been granted standing to pursue their claims, he says.
"The Supreme Court's 2016 decision in Spokeo, Inc. v. Robins held that plaintiffs who established a 'risk of future harm' could potentially establish standing," Holtzman says.
"The plaintiff has to show actual injury - in the data breach context, perhaps evidence of actual identity theft or monetary losses."
Standards for how individuals demonstrate actual harm from misuse of their sensitive information or have reasonable expectation that they are at significant risk of being victimized is evolving in the various federal trial courts on a case-by-case basis, he says.
Technology attorney Steven Teppler of the law firm Sterlington PLLC says the ability of individuals affected by ransomware attacks to demonstrate that their PII is available on a darkweb "leak site" is important in establishing the "use" of the data by cybercriminals - such as offering to sell the PII.
This could help individual victims "provide sufficient evidence to demonstrate the existence and more imminent likelihood of harm through identity comprise."
In the meantime, a trend has developed favoring negotiating settlements in class action lawsuits that arise from large data breaches involving sensitive personal information, such as Social Security numbers, financial information or health records, Holtzman says.
"Settlements are attractive because of the high bar plaintiffs must face to show that people suffered measurable harm because of the unauthorized disclosure of their personal information," he says.
And in their lawsuits, he adds, plaintiffs must also prove that the data owner or processor failed to establish or maintain reasonable security measures that would have prevented the unauthorized access.
"Businesses and healthcare organizations defending against class action data breach litigation find settlements attractive because of the substantial cost and business disruption from mounting a legal defense as well as the uncertainty and risk posed by a judgement that they are at fault."
Among recent examples is a proposed settlement disclosed this week in a 2015 class action lawsuit filed against health insurer Excellus Blue Cross Blue Shield in the wake of a cyberattack that affected 10.5 million individuals.
The proposed settlement does not provide monetary payments to the plaintiffs of class members, but it calls for Excellus to take a series of measures to improve data security.