CommonSpirit Ransomware Attack and Data Breach Class Action

As the second-largest health system in the US, CommonSpirit Health maintains a good deal of personally identifying information (PII) and protected health information (PHI) in its systems. Unfortunately, the complaint for this class action alleges that it “employed inadequate data security measures to protect and secure” it, leading to a ransomware attack, a data breach and the exposure of the information.

The class for this action is all individuals in the US whose PII or PHI was compromised in the CommonSpirit data breach announced on or around December 1, 2022.

The complaint alleges, “CommomSpirit was well aware that the PHI and PII it collects is highly sensitive and of significant value to those who would use it for wrongful purposes.” In fact, the complaint alleges, “cybercriminals seek out PHI at a greater rate than other sources of personal information.” Nevertheless, the complaint claims, CommonSpirit did not take adequate measures to protect its systems from a cyberattack.

CommonSpirit first noticed suspicious activity on its network on October 2, 2022, the complaint alleges, and on October 17 announced “that it had been managing a response to a ransomware attack that had impacted some of its facilities.”

According to the complaint, a later investigation showed that hackers had gained access to the system between September 16 and October 3, 2022 and compromised the information contained in it. The information pertained to patients, or family members or caregivers of patients, from Virginia Mason Franciscan Health, an entity that is affiliated with CommonSpirit.

The exposed information included names, addresses, phone numbers, dates of birth, and ID numbers used by the organization, for more than 623,000 individuals. On December 1, 2022, the complaint alleges, CommonSpirit officially reported the data breach to the Department of Health and Human Services Office for Civil Rights, and sent notices to the individual victims on or around that date as well.

The complaint quotes Experian about the dire consequences of medical data breaches: “Having your records stolen in a healthcare data breach can be a prescription for financial disaster. If scam artists break into healthcare networks and grab your medical information, they can impersonate you to get medical services, use your data [to] open credit accounts, break into your bank accounts, obtain drugs illegally, and even blackmail you with sensitive personal details.”

Both the Health Insurance Portability and Accountability Act (HIPAA) and the Federal Trade Commission Act (FTCA) require that entities like CommonSpirit take reasonable and appropriate steps to protect the medical and other private information they keep in their systems.

The complaint alleges, “The Data Breach occurred as a direct result of [CommonSpirit’s] failure to implement and follow basic security procedures, and its failure to follow its own policies, in order to protect its patients’ PII and PHI.”

Article Type: Lawsuit
Topic: Privacy
Tags: Exposing Private Information, Exposure to cyber crime, Your Privacy