Mena Regional Facing Class Action Over Data Breach Affecting Nearly 85K Patients

New to ClassAction.org? Read our Newswire Disclaimer

A proposed class action lawsuit alleges the inadequate cybersecurity practices of Mena Regional Health System and an unidentified insurance carrier are to blame for a data breach purportedly discovered in November 2022.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

The 28-page lawsuit says that the Arkansas- and Oklahoma-based healthcare organization, who does business as Mena Regional Hospital Commission, learned on November 8 of last year that its network had been hacked and that a third-party had removed sensitive patient information almost a year earlier, in late October 2021.

Per the suit, the cyberattack compromised the personal information of almost 85,000 patients. Data compromised in the incident included, but was not limited to, patients’ names, dates of birth, Social Security numbers, driver’s license and government identification numbers, financial account information, patient account numbers, medical diagnoses and treatment details, medical provider names, lab results, prescription details and health insurance specifics.

The case contends that the data breach occurred as a direct result of Mena Regional’s “negligent” failure to take basic cybersecurity precautions to safeguard patients’ personally identifiable information (PII) and protected health information (PHI) in its network.

According to the complaint, the defendant had a legal obligation under the Health Insurance Portability and Accountability Act (HIPAA) to protect the personal and medical data stored in its system, and Mena Regional should have understood that the vast quantity of valuable information it retained would make it a “prime target” for cybercriminals.

“Mena Regional was well aware [sic] that the PHI and PII it collects is highly sensitive and of significant value to those who would use it for wrongful purposes,” the filing reads.

The plaintiffs, both Arkansas residents and former patients, received notices from Mena Regional in late November 2022 informing them that their personal information had been compromised in the data breach, the suit relays. Like other victims, the plaintiffs must now deal with a substantially increased risk of illegal activity, such as identity theft and medical fraud, as a result of the exposure of their data to cybercriminals, the case claims.

The lawsuit looks to represent anyone whose personal and/or medical information was compromised in the data breach announced by Mena Regional on November 22, 2022.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.