Class Action Lawsuit Alleges R1 RCM, Dignity Health Failed to Protect Patient Data from Cyberattack

New to ClassAction.org? Read our Newswire Disclaimer

R1 RCM, Inc. faces a proposed class action lawsuit over a 2023 cyberattack that compromised the personal data of patients of Dignity Health's St. Rose Dominican Hospital, Rose de Lima campus, in Henderson, Nevada.

Did you receive a data breach letter from R1 RCM? Let us know here.

According to the 21-page data breach lawsuit, more than 16,000 current and former Dignity Health patients were affected by the cyberattack that targeted R1 RCM, a third-party vendor used by the hospital for revenue cycle management services. The suit relays that between January 30 and November 17, 2023, an unauthorized threat actor gained access to R1 RCM’s computer network and acquired files that contained private patient data.

Per the case, the personal information exposed in the Dignity Health data breach included at least patients’ names, dates of birth, Social Security numbers, addresses, contact details, medical record and patient account numbers, clinical data and service locations.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

The complaint claims that the hospital and the vendor negligently failed to maintain reasonable cybersecurity protocols to protect patient data, which was allegedly stored unencrypted in R1 RCM’s computer systems. The filing argues that the defendants could have prevented the incident had they properly encrypted the sensitive information or destroyed it when it was no longer needed.

The lawsuit contends that as a result of the defendants’ negligence, data breach victims are now at a greater risk of being targeted for cybercrimes at the hands of data thieves.

In addition, the suit charges that the hospital and its vendor failed to promptly notify impacted individuals that their private information had been stolen in the first place. As the case tells it, although R1 RCM learned of the incident in November 2023, neither defendant began to notify victims until March of this year, nearly four months later.

The plaintiff, a former Dignity Health patient residing in Nevada, says she received notice from R1 RCM in mid-March 2024, informing her that her sensitive data had been compromised in the breach. Since the incident, the woman has discovered unauthorized credit inquiries on her credit report, and learned that her private information was found on the dark web, the complaint shares.

The lawsuit looks to represent anyone whose private information was impacted by the data breach, including those who were sent notice of the incident by or on behalf of R1 RCM or Dignity Health.

Did you receive a data breach letter from R1 RCM? Let us know here.