Dive Brief:
- CommonSpirit Health is facing another lawsuit in the wake of a ransomware attack that disrupted operations at some of its facilities for weeks last year.
- The lawsuit, filed by patients in Washington state, alleges the health system failed to implement and maintain adequate cybersecurity measures to protect private patient information.
- Jose Antonio Koch filed the complaint in federal court on Jan. 13. His two children, who are minors and not named, are also listed as plaintiffs. They received care at St. Michael Medical Center in Washington, a member hospital of CommonSpirit, and allege their information was compromised. The lawsuit is seeking class action status. CommonSpirit did not respond to a request for comment.
Dive Insight:
This is at least the second lawsuit CommonSpirit is facing in the wake of a ransomware attack that exposed the private information of more than 623,700 people.
Another Washington state resident, Leeroy Perkins, filed suit in federal court in December, also alleging the Chicago-based system failed to implement basic data security measures to protect patient health information.
Perkins is also seeking class action status.
CommonSpirit Health, one of the nation’s largest health systems, first said in October that it experienced an “IT security incident” at an undisclosed number of its facilities in multiple regions.
Later, the system confirmed it was hit by a ransomware attack that interrupted access to electronic health records and delayed patient care in multiple markets.
Providers are required to notify the HHS when breaches occur. The HHS office tasked with overseeing health information privacy is now investigating the breach.
The attackers gained access to some files that contained names, addresses, phone numbers, birth dates and a unique ID used internally, CommonSpirit previously said.
The cyberattackers gained access sometime between Sept. 16 and Oct. 3, specifically affecting certain facilities of Virginia Mason Franciscan Health, a CommonSpirit entity.