Four patients visiting three hospitals in Alabama have filed a class action lawsuit against operator DCH Health System charging the company violated federal health information privacy laws (HIPAA) and endangered their medical care during a ransomware attack three months ago.
The patients, all of whom are identified in the claim, accuse the health system of negligence, invasion of privacy, breach of contract and breach of fiduciary duty resulting from the October 1, 2019 Ryuk ransomware attack that crippled DCH for 10 days, AL.com reported. The lawsuit has been filed in the Western Division of U.S. District Court for the Northern District of Alabama. The cyber extortion, which infected systems at DCH Regional Medical Center, Fayette Medical Center and Northport Medical Center, forced the facilities to turn away all but critical care patients.
“Because of the ransomware attack, plaintiffs and class members had their medical care and treatment as well as their daily lives disrupted,” the lawsuit claimed. “As a consequence of the ransomware locking down the medical records of plaintiffs and class members, plaintiffs and the class members had to forego medical care and treatment or had to seek alternative care and treatment.” (via AL.com)
Three of the plaintiffs described their claims, which ranged from an inability to get prescribed medications to being turned away from treatment for a severe allergic reaction to inadequate follow-up treatment. A fourth patient contended less specifically that her medical records and care had been compromised.
In the attack’s wake, officials said the hacker gained access to medical records and other patient information but no data has been misused or removed from DCH’s systems. However, the plaintiffs maintain that DCH violated HIPAA laws and other laws governing medical records and failed to secure sensitive patient information. “Defendant breached its obligations to plaintiffs and class members and/or was otherwise negligent and reckless because failing to properly maintain and safeguard its computer systems and data,” the filing said. (via AL.com) The lawsuit does not seek a specific dollar amount in damages.
Ryuk was first discovered in August 2018. The ransomware often goes undetected for days or months after an initial infection, and it enables a threat actor to identify and attack an organization’s critical network systems.