Hackensack Meridian Health in New Jersey is facing a lawsuit in relation to the December 2, 2019 ransomware attack which impacted 17 of its hospitals.
The ransomware attack momentarily interfered with healthcare services when hospital staff could not access the medical records because its systems were offline. Systems stayed offline while data was being recovered for a few days until systems were restored. Staff continued to provide medical services although pen and paper were used to record patient data. Some non-urgent medical treatments were canceled.
Immediate measures were taken to protect its systems and restore data and doctors, nurses, and clinical staff worked 24 / 7 to maintain patient safety throughout the attack and data recovery process. So as to restore systems in the quickest time and avert continuous disruption to healthcare services, Hackensack Meridian Health decided to pay the ransom. The health system’s comprehensive insurance policy helped pay for the price of the ransom payment, as well as its remediation and recovery expenses.
Forensic specialists were hired to help investigate and ascertain if patient information was compromised. There is no evidence found that indicate the attackers stole any patient information.
Although it would seem that Hackensack Meridian Health did what it could to restrict the harm brought on patients and reestablish systems and data in the quickest time, it did not stop legal action.
A proposed class-action lawsuit was filed in a Newark district court. The two plaintiffs want compensation, statutory damages and penalties, the return of out-of-pocket expenditures, and injunctive relief necessitating Hackensack Meridian Health to improve its security systems, undertake yearly data security audits, and give breach victims three years of free credit monitoring services.
The plaintiffs claim Hackensack Meridian Health recklessly managed its network leaving its systems susceptible to attack and so the health system was unsuccessful to sufficiently secure patient data. The lawsuit additionally alleges the attack resulted in serious disruption to the health care given to patients, compelling them to find alternate care and treatment.
According to Hackensack Meridian Health’s investigation findings, there is no evidence found that indicate data theft, yet the plaintiffs claim that the attackers stole their personal and protected health information (PHI) and exposed to other unidentified thieves, so that they face an increased and impending risk of identity theft and fraud.
Moreover, the plaintiffs allege that Hackensack Meridian Health did not report the ransomware attack to the Department of Health and Human Services’ Office for Civil Rights, and did not notify the affected patients about the breach.
As of February 19, 2020, the OCR breach portal has not published the incident yet, though that doesn’t automatically mean the incident was not reported. There is generally a delay between the submission of a report to OCR and the posting of the incident on the breach portal.
Breach notifications may also be delayed when the breach investigation is still ongoing. It could take time to find out who are patients affected and to get updated contact details so as to mail notices. Patient notifications are typically necessary for ransomware attacks as per prior OCR guidance, however, they aren’t obligatory, as long as covered entities can show there was a low possibility of PHI compromise.
It is becoming more and more prevalent for patients to file a lawsuit against covered entities in relation to ransomware attacks. A number of lawsuits were filed recently on behalf of patients who were impacted by ransomware attacks. Considering the number of threat groups attempting to steal data before encrypting files, more lawsuits is to be expected.