Daniel Elliott, a Georgia resident and patient of St. Joseph’s/Candler Hospital Health System, has filed a class-action lawsuit on behalf of himself and the 1.4 million patients, professionals, and clients whose personal, financial and health information may have been compromised in the ransomware attack against the hospital’s IT systems.
Related: St. Joseph’s/Candler health system cyberattack offers lessons for us all
According to the lawsuit, patients suffered an increased risk of identity theft and medical identity theft, and “have been forced to expend, and must expend in the future, to monitor their financial accounts, health insurance accounts, and credit files as a result of the data breach.” No specific instances of identity theft were cited in the lawsuit.
Plaintiffs further allege the hospital neglected to “design, adopt, implement, control, direct, oversee, manage, monitor and audit appropriate data security process, controls, policies, procedures, protocols and software and hardware systems” to protect patients’ information. That information could include, according to a letter sent by CEO Paul Hinchey on Aug. 10, a patient’s name, address, birth date, social security and driver’s license numbers, billing accounts, health insurance plans, and medical records, among other personal and financial details. In the letter, Hinchey said the hospital had returned to “fully operational” status.
Background: St. Joseph’s/Candler ransomware investigation ongoing, patients offered identity protection
Emails and phone calls to the law firm that filed the suit were not returned. St. Joseph’s/Candler’s spokesperson, Scott Larsen, said that the hospital does not comment on pending litigation.
‘It’s evil’: Ransomware attack on hospital system in Savannah is part of a growing trend
Soumitra Bhuyan, assistant professor at the Edward J. Bloustein School of Planning and Public Policy at Rutgers University, previously told the Savannah Morning News, on average it takes about 96 days to identify the data breach. In some cases, it can take longer.
“There are hospitals that did not identify that a breach happened for a year,” she said.
The health care system is offering patients a one-year membership to Experian’s IdentityWorks, which helps detect possible misuse of personal info.
The plaintiff’s in the class-action lawsuit are seeking a jury trial, unspecified amount of monetary relief for punitive damages, restitution and disgorgement, and payment of attorney fees.
Savannah Morning News reporter Nancy Guan contributed to this report.
Raisa is a Watchdog and Investigative Reporter for The Savannah Morning News. Contact her at [email protected]