HCA Healthcare hit with 4 class action lawsuits, following patient data breach

The hospital chain, which announced last week that the breach affected 11 million patients, “knew or should have known” that the private information it collects is “highly sought after by criminal parties,” plaintiffs wrote in one complaint filed last week.

Credit: Tero Vesalainen/Shutterstock

HCA Healthcare now faces four class-action lawsuits following a massive breach of patient data.

The lawsuits were filed after the company disclosed that an external storage location used to automate email message formatting had been compromised. Data lists including up to 27 million rows of data potentially affecting 11 million patients were accessed. Information such as patient names, emails, dates of birth and appointment locations was posted online.

Patient Gary Silvers and Richard Marous filed a lawsuit outlining one count of negligence, one count of negligence per se and one count of breach of implied contract. The plaintiffs are seeking monetary damages, legal fees, a jury trial and injunctive relief, as well as demanding that HCA Healthcare implement additional safeguards to better protect patient data. The other three complaints filed last week followed similar lines of argument and also listed other charges related to invasion of privacy, unjust enrichment and breach of fiduciary duty.

In announcing the breach, HCA said it reported the hack to law enforcement and retained third-party forensic and threat intelligence advisors. It disabled user access to the breached data storage location — a move plaintiffs said was insufficient — and plans to offer credit monitoring and identity protection services where appropriate.

“Our focus now is on our patients and ensuring they have information about the data security incident and the actions already under way to take care of them,” an HCA spokesperson told Becker’s Hospital Review. “Our commitment to our patients is unwavering and is not affected by any class-action lawsuits or other legal proceedings. We will respond to any lawsuits or proceedings in the appropriate forums and ordinary course.”

The breach affects patients in nearly two dozen states. The attempted data sale was flagged on Twitter by Brett Callow, an analyst at New Zealand-based Emsisoft.

Related: HCA Healthcare reports data breach that could impact 11 million patients

“This may be one of the biggest health care-related breaches of the year and one of the biggest of all time,” Callow told CNBC. “That said, despite affecting millions of people, it may not be as harmful as other breaches as, based on HCA’s statement, it doesn’t seem to have impacted diagnoses or other medical information.”

The health-care sector experienced approximately 295 breaches affecting more than 39 million individuals during the first half of 2023, according to the Department of Health and Human Services’ Office for Civil Rights. If 11 million patients are affected, the HCA Healthcare breach would rank in the top five health-care hacks reported to the department, according to the Associated Press. The worst such hack, a 2015 breach of the medical insurer Anthem, affected 79 million people.

The suspected HCA Healthcare hacker, who first posted a sample of stolen data online on July 5, was trying to sell the data and apparently trying to extort the company, the AP reported.