HCA Healthcare sued for recent data breach

Plaintiffs say the apparent theft of identity and other information announced this past week, which could impact as many as 11 million people, happened because the health system did not use "reasonable security procedures and practices."
By Mike Miliard
11:21 AM

Photo: Rusty Russell/Getty Images

Just one week after HCA Healthcare reported a data theft that affected more than 170 of its hospitals and could impact more than 11 million of its patients, the sprawling Nashville-based health system is facing a class action lawsuit for the breach.

According the lawsuit, filed in U.S District Court in Middle District of Tennessee, plaintiffs Gary Silvers and Richard Marous, two HCA patients living in Florida, "seek monetary damages and injunctive and declaratory relief" arising from HCA's failure to safeguard the personally identifiable information and protected health information of the patients of "hospitals and physician groups it owned or operated, which resulted in unauthorized access to its information systems on or around June 2023."

The plaintiffs allege that HCA "did not use reasonable security procedures and practices appropriate to the nature of the sensitive information it was maintaining" for its patients and customers, such as encrypting the data or deleting it when it's no longer needed.

The exposure of this private information occurred when an attacker "accessed and acquired files" in HCA’s computer systems, the suit alleges, containing unencrypted information including names, dates of birth and appointment information.

The lawsuit says that, given that data thieves "regularly target entities in the healthcare industry," HCA "should have known" of the risk of a cyberattack.

"Defendant knew and understood that unprotected Private Information is valuable and highly sought after by criminal parties who seek to illegally monetize that Private Information through unauthorized access," according to the plaintiff's suit.

It points to a "substantial increase in cyberattacks and/or data breaches" targeting healthcare entities like HCA as evidence.

"For example, of the 1,862 recorded data breaches in 2021, 330 of them, or 17.7%, were in the medical or healthcare industry," the plaintiff's attorneys write. "The 330 breaches reported in 2021 exposed nearly 30 million sensitive records (28,045,658), compared to only 306 breaches that exposed nearly 10 million sensitive records (9,700,238) in 2020."

Lawsuits in the wake of large healthcare data breaches are becoming much more common as many more major organizations – providers, payers, vendors and others – find themselves reporting incidents involving the PII and PHI of millions of their customers. For instance, Community Health Systems is another major Tennessee provider network that has been sued after a breach exposed the data of about one million of its patients

Harvard Pilgrim health plan's parent company, Point32Health, is defending against multiple class action lawsuits after a recent ransomware attack.

NextGen was recently sued in federal court after plaintiffs alleged the EHR provider didn't follow proper guidelines for protecting patient data.

This month has seen more than one lawsuit filed against Johns Hopkins, after the Baltimore-based health system was the target of a ransomware attack in which the Clop ransomware group exploited a vulnerability in Progress Software's MOVEit MFT tool

Pennsylvania-based Lehigh Valley Health Network is another hospital system facing a class action suit, which is still in progress despite some changes in jurisdiction.

But, as HIPAA Journal points out: "Healthcare data breach lawsuits often hinge on whether there has been a concrete injury that more than likely was caused by a specific data breach. Lawsuits that only allege a risk of identity theft and fraud are unlikely to be granted standing."

"HCA Healthcare reported this event to law enforcement and retained third-party forensic and threat intelligence advisors," the health system said in a statement. "While our investigation is ongoing, the company has not identified evidence of any malicious activity on HCA Healthcare networks or systems related to this incident.

"The company disabled user access to the storage location as an immediate containment measure and plans to contact any impacted patients to provide additional information and support, in accordance with its legal and regulatory obligations," HCA officials added, "and will offer credit monitoring and identity protection services, where appropriate."

Mike Miliard is executive editor of Healthcare IT News
Email the writer: mike.miliard@himssmedia.com

Healthcare IT News is a HIMSS publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.