MedStar Health Data Breach Lawsuit Says 180K People Impacted by 2023 Cyberattack

New to ClassAction.org? Read our Newswire Disclaimer

Nonprofit MedStar Health faces a proposed class action lawsuit in the wake of a months-long 2023 data breach believed to have impacted more than 180,000 people.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.

The 40-page MedStar data breach lawsuit says the cyberattack against the nonprofit, which operates more than 300 care locations and 10 hospitals in Maryland, Virginia and Washington, D.C., occurred between January 25 and October 13, 2023, and involved current and former patients’ names, mailing addresses, dates of birth, dates of service, provider names and health insurance details, potentially among other sensitive personal information.

Though the data breach occurred for most of 2023, Maryland-based MedStar announced only this month, May 2024, that emails and files associated with three employees’ email accounts had been accessed by an outside party without authorization, the complaint shares. Per MedStar’s official notice of the data incident, the nonprofit determined on March 6, 2024, after conducting forensic analysis, that patient information was among the data accessed improperly.

“While we have no reason to believe that patient information was actually acquired or viewed, we cannot rule out such access,” MedStar stated in the notice.

According to the case, MedStar failed to even encrypt or redact the sensitive information belonging to data breach victims, indicating “negligent and/or careless acts and omissions” amid the nonprofit’s “utter failure to protect its patients’ sensitive data.”

“Hackers targeted and obtained Plaintiff’s and Class Members’ Private Information because of its value in exploiting and stealing the identities of Plaintiff and Class Members,” the case reads. “The present and continuing risk to victims of the Data Breach will remain for their respective lifetimes.”

By obtaining and storing patients’ private information, MedStar assumed the legal duty of safeguarding that data from unauthorized disclosure, the lawsuit stresses. The filing contends that MedStar could have prevented the data breach had it properly encrypted the impacted files and servers or deleted the information once it was no longer needed.

“As a custodian of Private Information, Defendant knew, or should have known, the importance of safeguarding the Private Information entrusted to it by Plaintiff and Class Members, and of the foreseeable consequences if its data security systems were breached, including the significant costs imposed on Plaintiff and Class Members as a result of a breach.”

The MedStar data breach class action looks to cover all United States residents whose private information was compromised in the MedStar Health data breach.

Are you owed unclaimed settlement money? Check out our class action rebates page full of open class action settlements.