St. Joseph’s/Candler Health System Hacker Takeover Class Action

St. Joseph’s/Candler Health System, Inc. (SJ/C) provides medical care to people in a 4,000-square-mile area of Georgia and South Carolina. In December 2020, cybercriminals hacked into its systems and did not merely steal information; six months later, they rendered the entire system inoperable, even down to the telephones. The complaint for this class action alleges that the difficulties were brought about by SJ/C’s own failures.

According to the complaint, the hacking of SJ/C’s systems began on or about December 18, 2020, with the theft of the medical and personal information of around 1,400,000 people. The personal health information (PHI) and personally identifiable information (PII) included such things as names and addresses, Social Security numbers, driver’s license numbers, billing account and financial information, health insurance information, family, employment, and emergency contact information, medical record numbers, and medical and clinical treatment information.

But the problem didn’t end on that day. The complaint alleges, “For a full six months after these criminals first accessed SJ/C’s IT system, the hackers were able to move freely and undetected through the hospital system’s IT network.”

On June 17, 2021, the hackers took the entire IT system hostage. The complaint quotes from an article in the Savannah Morning News: “It was … a complete information technology (IT) meltdown. Everything, from electronic medical record[s] (EMR) used to document encounters to the lab, radiology and billing software, went down. Even the phones … stopped working.”

The hospital was forced to go back to more primitive methods of preserving and relaying information, “with paper charting, handwritten notes, and lab runners taking lab and x-ray results to the floors, the emergency room and the operating room.”

It took more than two weeks to get the computer systems operating again. The complaint claims that this all happened because of SJ/C’s “failure to adequately and regularly back up data and/or failure to create a reasonable data recovery plan, despite having been warned to do so by multiple federal agencies…” According to the complaint, “SJ/C was on clear notice that cyber criminals were planning precisely this type of attack on hospitals.

The complaint details reports from the Department of Health and Human Services (HHS), the Cybersecurity and Infrastructure Security Agency (CSIA), and the FBI, as well as reports and warnings from other sources about cyberattacks.

SJ/C then did not warn patients that their PII and PHI had been exposed until August 10, 2021, nearly two months after the data breach was discovered.

The class for this action is all persons whose PHI and PII was accessed by and disclosed to unauthorized persons in the data breach, including but not limited to all persons who received notice of the data breach, between December 18, 2020 and the present.

Article Type: Lawsuit
Topic: Privacy
Tags: Exposing Private Information, Exposure to cyber crime, Your Privacy