Lawsuit: Health System Failed to Heed Ransomware WarningsProposed Class Action Suit Filed After Breach Affecting 1.4 Million
A proposed class action lawsuit filed this week against St. Joseph's/Candler Health System in the wake of a recent ransomware breach affecting 1.4 million individuals alleges that the Georgia-based healthcare entity was "reckless" and "negligent" in safeguarding patients' information.
The lawsuit, filed against St Joseph's/Candler on Tuesday in a federal Georgia court by patient Heather Betz on behalf of herself and others similarly situated, alleges, among other claims, that the entity failed to act on warnings by federal authorities and cybersecurity experts of the ransomware threats facing the sector.
The lawsuit seeks damages and five years of credit and identity monitoring, as well as improvements to the healthcare system's data security.
Savannah, Georgia-based St. Joseph’s/Candler is a 714-bed healthcare system that includes two hospitals and several other facilities.
The lawsuit notes that through 2020 and into early 2021, various federal agencies, including the Department of Health and Human Services, the Cybersecurity and Infrastructure Security Agency and the FBI had issued a number of alerts for hospitals and other healthcare sector entities warning of ransomware attacks, including those involving the Maze and Conti ransomware groups (see: U.S. Hospitals Warned of Fresh Wave of Ransomware Attacks).
"Despite repeated, explicit, detailed warnings as to the manner in which hackers were targeting hospitals' IT systems and how to prevent such attacks, the defendant maintained an IT system vulnerable to attacks from those very same cybercriminals," the complaint alleges.
It says the data breach was the direct result of St. Joseph's/Candler's failure to implement security protocols that were adequate and reasonable.
Additionally, despite concrete and specific instructions from federal agencies and cybersecurity experts, St. Joseph's/Candler failed to implement reasonable and necessary measures to monitor its IT and data systems to detect cybercriminals' intrusion into its network, the lawsuit alleges.
St. Joseph's/Candler's security incident notification statement notes that the entity on June 17 identified suspicious activity in its IT network.
The healthcare provider says it "immediately" took steps to isolate and secure its systems, notify law enforcement authorities and launch an investigation with the assistance of cybersecurity firms.
St Joseph's/Candler says its investigation determined that the incident resulted in an unauthorized party gaining access to the organization's IT network between Dec. 18, 2020, and June 17, 2021.
"While in our IT network, the unauthorized party launched a ransomware attack that made files on our systems inaccessible," the entity said in its statement.
Potentially compromised files contained patient names, addresses, dates of birth, Social Security numbers, driver’s license numbers, patient account numbers, billing account numbers, financial information, health insurance plan member IDs, medical record numbers, dates of service, provider names and treatment information, the statement says.
'Coup de Grâce' Attack
From the time the unauthorized access to St. Joseph's/Candler's IT network began in December 2020, cybercriminals were allowed months "to roam freely and undetected" in the entity's network, putting individuals' personally identifiable information and protected health information at risk for identity theft, fraud and other cybercrimes, the lawsuit alleges.
The suspicious activity detected on June 17 was the "coup de grâce" - or death blow - of the hackers' six-month attack, the complaint alleges.
"They were holding the hospital system's IT systems hostage, demanding an as-yet-unknown payment in order to release their hold on the system."
The lawsuit alleges that all of St. Joseph's/Candler's IT systems went down at 4 a.m. on June 17, including its electronic medical records and VoIP phones.
It took more than two weeks for St. Joseph's/Candler "to slowly come back online," the lawsuit alleges.
The complaint alleges negligence, breach of contract, breach of fiduciary duty and violations of Georgia laws, including its unfair business practice laws, among other claims.
St. Joseph's/Candler did not immediately respond to an Information Security Media Group request for comment on the lawsuit and its allegations.
As of Wednesday, the St. Joseph's/Candler incident was the sixth-largest HIPAA breach posted in 2021 on the Department of Health and Human Services' HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals (see: Health Data Breach Tally Update: Ransomware Persists).
St. Joseph's/Candler is among the latest healthcare entities to face proposed class action lawsuits in the wake of large health data breaches in 2021.
For instance, on Sept. 1, a lawsuit was filed against DuPage Medical Group following a July "network outage" resulting in the suburban Chicago medical practice reporting a health data breach to HHS affecting more than 655,000 individuals (see: Lawsuit Alleges Security Failures at Clinic).
DuPage Medical Group has not publicly confirmed whether its network outage also involved ransomware.
But like the lawsuit against St. Joseph's/Candler, the legal action against DuPage Medical Group alleges a variety of security failures by the medical practice.