Lawsuits Call Ascension Data Breach Foreseeable and Preventable

Healthcare Finance reports that two lawsuits seeking class-action status have been filed concerning the May 8 Ascension data breach, a ransomware attack disrupting operations at the large healthcare system with more than 140 hospitals.

On May 12, Plaintiff Katherine Negron filed a class action complaint in U.S. District Court for the Northern District of Illinois. The next day, Plaintiff Ana Marie Turner filed in federal court for the Western District of Texas. Both suits seek monetary damages and demand a jury trial.

The suits, filed by the same Chicago law firm, allege failure to safeguard personal identifying information and protected health information. Plaintiffs say they were unable to communicate with their providers through the MyChart portal or to receive medical care and attention, according to the complaints. 

The FBI and the Cybersecurity and Infrastructure Security Agency say the Black Basta ransomware gang is behind the attack. Besides service disruptions, it resulted in the disclosure of names, dates of birth, patient records, and Social Security numbers, according to the lawsuits.

“Plaintiff and the Class also now forever face an amplified risk of further misuse, fraud, and identity theft due to their sensitive Personal Information falling into the hands of cybercriminals as a result of the tortious conduct of the defendant,” says the Illinois lawsuit.

It also alleges that Ascension failed to implement “reasonable and industry-standard data security practices,” and says the Ascension data breach “was a direct result of Defendant’s failure to implement adequate and reasonable cyber-security procedures and protocols necessary to protect patients’ Private Information from a foreseeable and preventable cyberattack.”

In addition to damages, the plaintiffs want improvements to Ascension’s data security systems, future annual audits, and adequate credit monitoring services.