Hacked Off: Patients Sue Ransom-Paying Hospital GroupPost-Ransomware Attack Lawsuit Against Hackensack Meridian Health Seeks Damages
A lawsuit seeking class action status has been filed against a New Jersey healthcare organization in the wake of a ransomware attack last December in which the entity paid attackers a ransom to unlock its systems.
The lawsuit filed against Edison, N.J.-based Hackensack Meridian Health, which has 17 hospitals and other care locations in the state, seeks damages for the patients affected.
The ransomware attack on Dec. 2, 2019, brought down the organization's computer network for two days, "leaving hospitals in the HMH network to reschedule non-emergency surgeries and doctors and nurses scrambling to deliver care without access to electronic records," the lawsuit states.
Because of the ransomware attack, patients had their medical care and treatment disrupted, the complaint alleges.
"As a consequence of the ransomware locking down the medical records ... plaintiffs and class members had to, among other things, forego medical care and treatment or had to seek alternative care and treatment," the lawsuit alleges.
"What's more, aside from having their lives disrupted, plaintiffs' and class members' identities are now at risk because of [HMH's] negligent conduct, since the private information that [HMH] collected and maintained is now in the hands of data thieves. ... exposing [them] to a heightened and imminent risk of fraud and identity theft."
In a statement provided to Information Security Media Group, HMH states that after the ransomware attack, the network took immediate action to protect its patients and to remediate the issue.
"We notified the appropriate authorities, including the FBI, other law enforcement and regulatory authorities," according to the statement. "Due to the extraordinary efforts of our physicians, nurses and clinical teams, patient safety was assured during the attack. We also engaged external cybersecurity and forensics experts, who found no evidence that any patient information was subject to unauthorized use or disclosure."
In a statement provided to ISMG last December following the ransomware attack, HMH said: "Due to the frequency with which healthcare organizations are targeted by cybercriminals, we have comprehensive coverage in place to help cover costs associated with a cyberattack, including payment, remediation and recovery efforts. We believe it's our obligation to protect our communities' access to health care. However, we cannot disclose the amount of the ransomware payment due to confidentiality agreements."
The lawsuit alleges that HMH did not report the incident to HHS' Office for Civil Rights as a health data breach as required under HIPAA, did not notify individuals' whose records were impacted by the attack, and did not offer any credit or ID monitoring to those whose data was affected.
HHS OCR several years ago issued guidance advising organizations that under most circumstances, ransomware attacks are considered reportable breaches under HIPAA.
HMH did not immediately respond to an inquiry about whether it reported the ransomware attack to the U.S. Department of Health and Human Services as a health data breach.
As of Tuesday, the HHS HIPAA Breach Reporting Tool website listing data breaches impacting 500 or more individuals did not show any breach reports filed by HMH.
Independent HIPAA attorney Paul Hales, who is not involved in the case, notes: "The ransomware attack may not be a reportable HIPAA breach if HMH determines it resulted in a low probability of compromise to the health information involved."
Identities at Risk
The lawsuit says plaintiffs believe their private information was stolen and subsequently sold after the ransomware attack, putting them at risk for identity theft and related crimes.
Technology attorney Steven Teppler of the law firm Mandelbaum Salsburg P.C., who's not involved in the case, notes that plaintiffs alleging that their data was "stolen" and subsequently "sold" as a result of the attack potentially could demonstrate "that [the] ransomware has pre-encryption lockout capabilities [that] would create a more realistic likelihood that the threat actors intended for a double dip extortion."
"Filing the class action lawsuit is the opening gambit of a long chess game between lawyers. Class actions focused on health information breaches are the new normal."
—Paul Hales, HIPAA attorney
For ransomware attacks using the new hybrid ransomware variants that exfiltrate and then encrypt, "erring on the side of disclosure is probably the best approach, but again, this is really ... dependent upon a thorough cybersecurity investigation coupled with a robust risk analysis," Teppler says.
The lawsuit also contends that as a consequence of the ransomware attack on HMH, medical care and treatment "was disrupted and compromised." For example, at least one plaintiff could not get his prescriptions renewed as a consequence of the attack, the lawsuit alleges.
"As a result of the defendant's failure to fulfill the data security protections promised ... plaintiffs and members of the class did not receive the full benefit of the bargain, and instead received healthcare and other services that were of a diminished value to that described in the contracts," the lawsuit states.
As a result, patients were "damaged" in an amount "at least equal to the difference in the value of the healthcare with data security protection they paid for and the healthcare they received," the suit alleges.
The lawsuit asks the court to require HMH to refrain from "engaging in the wrongful conduct pertaining to the misuse and/or disclosure of plaintiffs' and class members' private Information, and from refusing to issue prompt, complete and accurate disclosures" to individuals about the incident.
The lawsuit also seeks to compel HMH "to utilize appropriate methods and policies with respect to consumer data collection, storage, and safety, and to disclose with specificity the type of PII and PHI compromised during the ransomware attack."
So far, HMH has not disclosed the type of information impacted by the attack, nor the number of individuals' records potentially affected.
The lawsuit also seeks "equitable relief requiring restitution and disgorgement of the revenues wrongfully retained as a result of [HDM's] wrongful conduct." It also requests that HMH be required to pay for at least three years of credit monitoring services for the patients who were affected.
In addition, the lawsuit seeks "an award of actual damages, compensatory damages, statutory damages and statutory penalties, as well as punitive damages."
Paying the Ransom
Hales, the HIPAA attorney, says that HMH "paid the ransom no doubt to do the right thing - restore patient care quickly. However, it may indicate serious problems for HMH's defense because it suggests HMH lacked sufficient data backup and effective contingency plans for recovery and emergency mode operation required by HIPAA."
Failure to comply with HIPAA, he says, "violates a professional standard of care akin to alleged failure to meet professional standards of care in medical malpractice cases. Filing the class action lawsuit is the opening gambit of a long chess game between lawyers. Class actions focused on health information breaches are the new normal."