South Shore Hospital Corporation Hit with Class Action Following December 2021 Data Breach

New to ClassAction.org? Read our Newswire Disclaimer

South Shore Hospital Corporation (SSH) faces a proposed class action that claims the Chicago-area hospital failed to properly safeguard patients’ personal and health information from unauthorized access.

Central to the 29-page case is a December 2021 data breach during which the information of 115,670 patients was reportedly exposed. According to the suit, SSH’s “lax security measures” allowed patients’ names, addresses, dates of birth, Social Security numbers, financial and health insurance information, medical details, diagnoses and Medicare and Medicaid data to be accessed by cybercriminals.

To make matters worse, the case says, SSH waited roughly two months after discovering the breach to notify those whose information was compromised, despite being required by Illinois law to provide notice in the “most expedient time possible and without unreasonable delay.”

The lawsuit stresses that most of SSH’s patients live in the surrounding South Shore community, the majority of which is made up of African American/Black and Hispanic/Latinx residents and among whom the most common health issues are diabetes, mental health, violence, substance use, age-related illness, heart disease and stroke. Per the suit, “[v]ulnerable people” such those with substance abuse issues and the elderly are “ideal targets” for scams and extortion.

The lawsuit claims that SSH has exposed data breach victims to “severe” consequences, including a heightened risk of identity theft and fraud.

According to the complaint, SSH discovered “unauthorized activity” on its network on December 10, 2021, after which the hospital launched an investigation that revealed patients’ private and health information had been compromised. The suit argues that the breach was a direct result of SSH’s failure to implement adequate cybersecurity measures and train employees on cybersecurity policies. The case says that the hospital stores patient information in several locations, “all with differing security safeguards.” Though some of the data may be protected, SSH leaves other data “vulnerable to extraction” in a different system, the suit alleges.

The lawsuit argues that although SSH purportedly implemented “additional security controls” in the wake of the incident, these measures “should have been in place before the Data Breach.”

The complaint adds that SSH further harmed patients by supposedly waiting roughly two months after the breach was discovered to send notice to those who were affected. The plaintiff, a Calumet City, Illinois resident who filed the case pseudonymously, says she only confirmed that her information was compromised after calling the toll-free number listed in the defendant’s notice.

The plaintiff claims that she will need to spend “considerable time and effort” over the coming years to monitor her accounts and check for identity theft. Moreover, the plaintiff remains “unsure what has happened” to her personal and health information given the defendant has been “unwilling to disclose the true nature of the Data Breach,” according to the complaint.

The lawsuit looks to represent Illinois citizens whose protected health information and personally identifiable information was compromised in the data breach disclosed by South Shore Hospital Corporation.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.