25 HCA Healthcare data breach class action lawsuits filed (so far)

A plaintiff lawyer who has filed up to five lawsuits on behalf of clients allegedly harmed by HCA Healthcare’s data breach that impacted millions of patients said he expects them to be combined into one class-action suit.

In July, HCA, a Nashville-based company providing health care services to 180 hospitals and about 2,300 ambulatory care sites, announced in a news release it had experienced a data breach in which some

of its patients’ data was “made available by an unknown and unauthorized party on an online forum.”

Soon after, lawsuits were filed on behalf of those patients, with court documents saying as many as 11 million patients were affected (the release said HCA has “more than 37 million annual patient encounters”). Gerard Stranch IV, managing partner with Jennings & Garvey in Nashville, said he’s filed four or five of the over 25 suits that have been filed overall regarding the breach. Most of the cases have been filed in Tennessee, and one was filed in California.

“We’ve got about another half-dozen to dozen [clients considering filing suit] and have obviously looked at a larger number,” Stranch said. “The 25 cases on file now are all class actions, and the court in Nashville has already consolidated all the cases in the [U.S. District Court for the] Middle District of Tennessee into one docket.”

Related: Safeguarding Americans’ health information: How do we get there/?

The release stated the patients’ data posted online includes their names, addresses, email addresses, phone numbers, birthdates, genders, patient service dates, locations and next appointment dates, all information that’s protected under the federal HIPAA Privacy Rule. But Stranch wondered if more info was also posted online.

“My clients are concerned about the data that has been leaked about them,” he said. “They are not comfortable that the data is as limited as HCA initially represented and look forward to conducting discovery to determine exactly what was taken.”

One lawsuit stated HCA “attempted to downplay the data breach.”

“[The company claimed] that no passwords or payment information had been compromised, and that no “clinical information” had been leaked—despite the fact that patient treatment location and appointment data were compromised,” the suit said. “The reality, however, is that the information stolen from HCA is highly valuable and can be used to cause great harm to Plaintiff and the Class Members.”

In response to voicemail and email messages seeking comment on the lawsuits, a HCA spokesman provided a link to an update the company has provided on the data breach (https://hcahealthcare.com/about/privacy-update.dot) and emailed a statement regarding both the breach and the lawsuits.

“Our focus now is on our patients and ensuring they have information about the data security incident and the actions already underway to take care of them,” HCA said in the statement. “Our commitment to our patients is unwavering and is not affected by any class-action lawsuits or other legal proceedings. We will respond to any lawsuits or proceedings, in the appropriate forums and ordinary course.”

With cyberattacks on the rise, HCA is among several health care companies that have recently suffered data breaches and have faced lawsuits afterwards. In August a patient filed a lawsuit against the Chattanooga Heart Institute in Hamilton County State Court, claiming its March data breach impacted 170,450 individuals.

In July, Law.com’s Maria Dinzeo reported that last year the U.S. Court of Appeals for the Third Circuit found a former biopharmaceutical company employee had standing to bring a negligence class action against her old employer after a hacking group accessed its servers through a phishing attack in 2020, stealing a raft of personal information that the group later posted to the dark web.

Also in July, Law.com’s Michael Mora reported on the trend of data-breach class actions rising in federal courts nationwide in the previous year.

For example, Milberg Coleman filed a data breach class action in the U.S. District Court for the Northern District of Ohio against health care revenue cycle company Intellihartx LLC.

The firm had sued the health care company over its alleged failure to implement adequate data security measures stemming from a February breach of approximately 489,000 class members. And the plaintiff attorneys argued in the complaint that the defendant should have prevented the data breach.

That suit also said that data breaches “targeting health care entities that collect and store private information” have become “so notorious” that the FBI and the U.S. Secret Service “have issued a warning to potential targets so they are aware of, and prepared for, a potential attack.”