CommonSpirit Ransomware Attack and Data Breach Class Action

CommonSpirit Health, the second-largest healthcare system in the US, in 2021 acquired Virginia Mason and combined it with CHI Franciscan to create an entity called Virginia Mason Franciscan Health. The complaint for this class action alleges that CommonSpirit bears responsibility for a ransomware attack that exposed personally identifiable information (PII) and protected health information (PHI) associated with Virginia Mason Franciscan Health and possibly other entities in CommonSpirit’s systems.

The class for this action is all persons whose private information was compromised in the data breach announced by CommonSpirit on or around October 4, 2022.

“For more than two weeks, between September 16, 2022 and October 3, 2022,” the complaint alleges, “CommonSpirit lost control of the highly sensitive Private Information and as a result fo a data breach perpetrated by an unauthorized party which gained access to [CommonSpirit’s] computer system through a ransomware attack.” Even so, the complaint alleges that CommonSpirit did not detect the improper activity in its systems until October 2, 2022.

The complaint claims that the data breach affected at least some 623,000 individuals and at least seven hospitals, and possibly around 300 of CommonSpirit’s health care locations. According to the Notice of Security Incident, the information exposed included names, addresses, dates of birth, phone numbers, and internal CommonSpirit ID numbers.

CommonSpirit said only that Virgina Mason Franciscan Health entities were affected by the data breach, but the complaint claims that “other medical systems in [CommonSpirit’s] system have experienced significant disruptions in their operations which included doctors giving patients wrong doses of medication and patients not being able to schedule appointments.”

The complaint alleges that the attack was caused by CommonSpirit’s failure to take adequate measures to protect the PII and PHI it maintained in its files.

The complaint faults CommonSpirit for providing very little information about the attack, such as whether the exposed data was encrypted.

CommonSpirit had a duty to safeguard the information, the complaint claims, under the Health Insurance Portability and Accountability Act (HIPAA), the Federal Trade Commission (FTC) Act, and industry standards.

In recent years, ransomware attacks and data breaches have both become common, especially for healthcare entities, the complaint alleges. It quotes a Federal Bureau of Investigation (FBI) reports as saying, “Entities kilke smaller municipalities and hospitals are attractive to ransomware criminals … because they often have lesser IT defenses and a high incentive to regain access to their data quickly.” The complaint claims that CommonSpirit should have therefore known that it could be a target of cybercriminals.

Article Type: Lawsuit
Topic: Privacy
Tags: Exposing Private Information, Exposure to cyber crime, Your Privacy