Ascension Healthcare hit with 2 patient lawsuits following cyberattack

Two class-action lawsuits have been filed in the wake of the May 8 cyberattack on Ascension Healthcare, which operates 140 hospitals and 40 senior-living facilities in 19 states. The same Chicago law firm filed both lawsuits in federal courts in the Northern District of Illinois and the Western District of Texas.

The lawsuits allege that Ascension failed to safeguard personal identifying information and protected health information. Because of the cyberattack, the plaintiffs were unable to effectively communicate with their health-care providers through the MyChart patient portal or receive the requisite medical care and attention they needed, the complaint said.

Ascension failed to implement “reasonable and industry-standard data security practices,” the lawsuit said. “The data breach was a direct result of defendant’s failure to implement adequate and reasonable cybersecurity procedures and protocols necessary to protect patients’ private information from a foreseeable and preventable cyberattack.”

In addition to monetary damages, the plaintiffs seek improvements to Ascension’s data security systems, future annual audits and adequate credit-monitoring services.

Ascension has not confirmed that patient information has been compromised.

“We are conducting a thorough investigation of the incident with the support of leading cybersecurity experts and law enforcement,” a company spokesperson told Healthcare Dive. “If we determine sensitive data was potentially exfiltrated or accessed, we will notify and support the affected individuals in accordance with all relevant regulatory and legal obligations.”

The lawsuits are part of a larger industry trend. As cyberattacks against health care providers have become more frequent, so too have lawsuits filed by patients aiming to hold systems accountable for alleged damages, including possible violations of privacy.

Lawsuits can be filed before health systems have even determined whether patients’ private information was compromised. For example, Change Healthcare was hit with multiple class-action lawsuits while it still was investigating the scope of a February cyberattack. Last summer, HCA Healthcare was sued a week after an attack that affected up to 11 million patient records.

David Kessler, head of privacy, information governance and e-discovery at the law firm Norton Rose Fulbright, told Healthcare Dive that the plaintiffs’ arguments that breaches automatically equate to negligence is the “antithesis to case law.”

“The understanding is that there is no such thing as perfect data security — these events are going to happen, that’s the reality of our information age,” he said. “The question is, did the data owner take reasonable steps to prevent the event/?”

Related: Ascension Healthcare cyberattack disrupting patient care

Most cases of this type are settled out of court, Kessler said “I don’t think there’s been a lot of bright-line rules developed in the case law around what is reasonable security or data governance,” he said. “And so until that settles out — which might take a very long time — there’s gonna be a lot of opportunities to bring cases.”