Operator of St. Joseph’s, Candler Hospitals Hit with Lawsuit Over June 2021 Ransomware Attack [UPDATE]

New to ClassAction.org? Read our Newswire Disclaimer

St. Joseph’s/Candler Health System, Inc. faces a proposed class action over a six-month data breach that allegedly provided criminals with “unfettered access” to patients’ personal and medical information.

The lawsuit alleges the breach, which reportedly impacted roughly 1.4 million patients who received healthcare services across the defendant’s 117 Georgia and South Carolina locations, was a direct result of the healthcare system’s failure to implement adequate data security in the face of ample and repeated warnings that hospitals were “in hackers’ crosshairs.”

“Despite repeated, explicit, detailed notices of the risks faced by hospital systems storing sensitive patient data, Defendant recklessly stored Class Members’ [personally identifiable information] and [protected health information] in an unsafe manner,” the complaint contests.

The lawsuit claims the data breach began in December 2020 when unauthorized individuals gained access to the defendant’s secure network on which the private and sensitive medical information of over one million patients was stored. The case relays that this sensitive information included names, addresses, Social Security numbers, dates of birth, driver’s license numbers, billing account information, financial information, health insurance information, employment information, family member and emergency contacts, medical records, dates of service, provider names and medical and clinical treatment information.

Per the suit, the criminals were permitted to “roam freely and undetected” within the hospital operator’s systems for “a full six months” before the defendant “identified suspicious activity” on its network on June 17, 2021. It was then discovered, according to the case, that the hackers were “holding the hospital system’s IT system hostage,” and demanding payment in exchange for the release of the system.

The suit claims the ransomware attack caused the entire information system at the defendant’s St. Joseph’s and Candler hospitals in Savannah to go down, forcing medical staff to quickly revert to “pre-internet medical practice,” potentially endangering patients. Per the complaint, it wasn’t until July 2 that the hospitals’ systems “slowly beg[a]n to come back online,” and it took “much longer” until the defendant’s hospitals could resume normal operations, the suit says.

According to the case, the breach and resulting damage were the result of the defendant’s failure to implement even basic data security practices, including regularly backing up data and maintaining a data recovery plan. The incident was especially egregious given the defendant had been warned by multiple federal agencies and media reports that cybercriminals were “planning precisely this type of attack on hospitals,” the lawsuit attests. Indeed, St. Joseph’s/Candler failed to detect the breach for six months despite being provided with “concrete and specific instructions” by federal agencies and cybersecurity experts on how to do so, according to the filing.

Per the case, the exposure of patients’ sensitive personal and medical data has “serious, long-term consequences” that the defendant “should have anticipated and guarded against.”

The suit goes on to allege that even though St. Joseph’s/Candler Health System learned of the data breach in June 2021, victims were not notified until mid-August, almost two full months after the incident was discovered. The case claims the defendant disregarded the privacy rights of its patients by “intentionally, willfully, recklessly, or negligently” failing to take appropriate measures to protect their information, disclose that its data systems were “vulnerable to intrusion,” detect unauthorized access to its system and timely notify victims of the data breach.

The lawsuit looks to represent anyone whose protected health information or personally identifiable information was accessed by and disclosed to unauthorized individuals in the data breach at issue, including those who received notice of the breach, at any time since December 18, 2020.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.