CommonSpirit Health Failed to Protect Private Patient Info from Data Breach, Class Action Claims

New to ClassAction.org? Read our Newswire Disclaimer

A proposed class action lawsuit accuses CommonSpirit Health of failing to protect patients’ personal information from a data breach that occurred between September and October 2022.

According to the 50-page lawsuit, CommonSpirit Health “lost control” of its confidential patient data for over two weeks between mid-September and early October of last year after its computer system was accessed by an unauthorized third party. The suit relays that the private information compromised during the cyberattack included patients’ and their family members’ names, addresses, phone numbers, dates of birth and unique IDs used within CommonSpirit Health’s system.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

The case alleges that the data breach was a result of the defendant’s negligence and “abject failure” to take basic cybersecurity precautions to protect the personally identifiable information (PII) and protected health information (PHI) stored in its network.

The complaint also takes issue with CommonSpirit Health’s alleged failure to notify victims in a timely manner that their private data had been compromised. Though the unauthorized access was discovered in early October, the defendant “inexplicably waited” until December 1 to begin notifying those who were impacted, the filing says.

“CommonSpirit has not been forthcoming about the Data Breach, which affected at least 623,774 individuals, at least 7 hospitals and potentially 300 medical care sites managed by Defendant,” the lawsuit reads.

Per the suit, the information in CommonSpirit Health’s letter is “noticeably scant” and “attempts to minimize the extent of harm” caused by the cyberattack.

The defendant reported that only entities of Virginia Mason Franciscan Health—a health system owned and operated by CommonSpirit Health—were impacted by the data breach, the case says. However, other affiliates in CommonSpirit Health’s network have also reported “significant disruptions in their operations,” including patients being unable to schedule appointments and doctors prescribing incorrect doses of medication to patients, the complaint explains.

In light of the foregoing, the filing charges that, “[i]n fact, the number of actual victims of the Data Breach may be much higher—potentially as high as twenty million individuals.”

The plaintiff and his children, residents of Washington, entrusted their personal information to the defendant with the belief that, as one of the foremost healthcare systems in the country and the owner of 140 hospitals and more than a thousand medical centers, CommonSpirit Health would properly protect the sensitive data, the lawsuit claims.

Instead, like other victims of the cyberattack, the plaintiff and his children now face a heightened risk of identity theft, fraud, and other harm because their private information is allegedly “in the hands of data thieves,” the suit contends.

The lawsuit looks to represent anyone whose personal information was compromised as a result of the data breach announced by CommonSpirit Health in October 2022.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.