By Jill McKeon
January 23, 2023 – CommonSpirit Health is now facing a class action lawsuit in the aftermath of a Fall 2022 cyberattack that impacted facilities across one of the largest nonprofit healthcare systems in the US. As previously reported, CommonSpirit began reporting IT outages, EHR downtime, and appointment cancellations in early October, later confirming that these disruptions were caused by a ransomware attack.
The attack impacted a variety of CommonSpirit facilities in different ways. Some facilities remained untouched, while others experienced weeks of disruptions to patient portals and payroll platforms. CommonSpirit reported the breach to HHS as having impacted 623,774 individuals.
The latest lawsuit alleges that CommonSpirit “lost control” of highly sensitive information as a result of the breach and suggested that the health system “has not been forthcoming” about the breach.
“In fact, the number of actual victims of the Data Breach may be much higher – potentially as high as twenty million individuals,” the lawsuit alleged.
“Despite the prevalence of ransomware and other data security attacks in recent years, the Data Breach was a direct result of Defendant’s abject failure to implement and to maintain adequate and reasonable cybersecurity procedures and protocols necessary to protect Plaintiffs’ and the Class Members’ Private Information ,” the complaint stated.
The plaintiffs are seeking reimbursement for out-of-pocket costs, credit monitoring services, and improvements to CommonSpirit’s data security systems.
Lawsuits in the aftermath of a healthcare data breach have become extremely common, often resulting in hefty settlements. For example, Scripps Health recently reached a $3.5 million settlement to resolve allegations following a 2021 ransomware attack.
In addition, Morley Companies, a provider of business services to many companies, including healthcare organizations, reached a $4.3 million settlement following a breach that impacted more than 521,000 individuals.