Ernest Health Data Breach Lawsuit Says Hospital Network ‘Lost Control’ Over Patients’ Info During 2024 Cyberattack

New to ClassAction.org? Read our Newswire Disclaimer

A proposed class action lawsuit alleges Ernest Health “lost control” over thousands of current and former patients’ sensitive data during an early-2024 data breach that the hospital network, due to insufficient cybersecurity, had no effective means to prevent, detect or stop. 

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here. 

The 37-page Ernest Health data breach lawsuit says that it is unknown for exactly how long the perpetrators had access to the defendant’s network before the intrusion, which allegedly occurred between January 16 and February 4, 2024, was discovered. As the case tells it, the cybercriminals, reportedly the ransomware group LockBit, essentially had free rein to exfiltrate current and former patients’ data uninterrupted for 16 days, at least until Ernest Health claims to have detected the breach on February 1. 

Compounding matters, the complaint continues, is the fact that Ernest Health, who experienced a similar data breach in October 2018, waited until around March 29, 2024, to begin to notify victims that their data had been compromised, a full 73 days after the breach supposedly began. 

“Thus, Defendant kept the Class in the dark—thereby depriving the Class of the opportunity to try to mitigate their injuries in a timely manner,” the filing says. 

The case contends that Ernest Health, which has locations in 13 states, was an “easy target” for the hackers due to its failure to adequately train employees on cybersecurity and maintain reasonable system safeguards to protect consumers’ data. 

According to the lawsuit, the information stolen in the Ernest Health data breach includes, at minimum, names, addresses, dates of birth, medical record numbers, health insurance plan member IDs, claims details, medical diagnoses, prescription specifics, and Social Security and driver’s license numbers. 

To date, the exact number of victims impacted by the Ernest Health cyberattack is unclear, the filing mentions. 

“[Ernest Health] failed its duties when its inadequate security practices caused the Data Breach,” the suit charges. “In other words, Defendant’s negligence is evidenced by its failure to prevent the Data Breach and stop cybercriminals from accessing the [personally identifiable and protected health information]. And thus, Defendant caused widespread injury and monetary damages.”

Though Ernest Health claims to have implemented “additional safeguards and technical security measures” since the data breach, the lawsuit calls these initiatives “too little too late.” Per the case, LockBit reportedly threatened to publish the stolen patient data on the dark web by March 4, 2024.

Moreover, the case says the hospital network’s offer of credit monitoring and identity-related services to some victims is “wholly insufficient” to compensate current and former patients whose data was compromised.

The lawsuit looks to cover all United States residents whose personal information and/or protected health information was compromised during the data breach discovered by Ernest Health in February 2024.

Are you owed unclaimed settlement money? Check out our class action rebates page full of open class action settlements.