Updates on CommonSpirit Health and BioPlus Specialty Pharmacy Services Data Breach Lawsuits

Federal Judge Dismisses CommonSpirit Health Data Breach Lawsuit Due to Insufficient Standing

A federal court judge decided to dismiss a class action lawsuit filed against CommonSpririt Health concerning its 2022 data breach due to the failure of the plaintiff to show that they suffered harm from the data breach.

CommonSpirit Health experienced a ransomware attack on October 2, 2022, that affected over 100 CommonSpirit Health services throughout the United States. A threat actor acquired access to its systems on September 16, 2022, and got access to those systems until October 3, 2022. Based on the forensic investigation and document assessment, the protected health information (PHI) of about 623,000 patients were exposed. The breached data contained full names, addresses, healthcare organizations, patient’s facility/account numbers, medical record numbers, dates of medical services, treatment/medicine details, and other health insurance data.

CommonSpririt Health faced multiple class action lawsuits associated with the cyberattack and data breach that had the same claims. The lawsuits purport that CommonSpirit Health was negligent because of the inability to apply sensible and appropriate safeguards to protect the privacy of the protected health information it held and delayed sending breach notifications, which were not sent until April 5, 2023.

One of those lawsuits, Bonnie Maser v. CommonSpirit Health, alleged that the plaintiff suffered injuries because of the breach, including over $3,000 in bank account fraud that resulted in the closure of her account. Because of the fraud, the plaintiff could not pay for her rent, gave up her housing, her credit score slipped 60 points, and she reported to continue to suffer harm, which include panic attacks due to the anxiety of the data breach. Maser’s lawsuit claimed negligence, unjust enrichment, breach of implied contract, and breach of the implied covenant of good faith and fair dealing.

CommonSpirit Health contended that the plaintiff was unable to assert a concrete or imminent hurt to support Article III standing, failed to adequately claim the minimum amount in controversy under the Class Action Fairness Act, and did not state a claim upon which aid could be given. U.S. Magistrate Judge Suan Prose advised the dismissal of the lawsuit as a result of insufficient Article III standing, since the plaintiff was unsuccessful to demonstrate that the fraudulent costs were reasonably traceable to the data breach.

This is CommonSpirit Health’s second lawsuit to be tossed as a result of little standing. Two lawsuits against CommonSpirit Health, one by Leeroy Perkins and another by Jose Antonio Koch individually and on behalf of his two minor children, were filed in Illinois and consolidated into one lawsuit. District Court Judge Harry D. Leineweber dismissed the lawsuit because of a lack of standing.

BioPlus Specialty Pharmacy Services Proposes to Settle a Data Breach Lawsuit

BioPlus Specialty Pharmacy Services has proposed to resolve a class action lawsuit that was filed because of a data breach in 2021 that compromised the information of around 350,000 patients. Hackers obtained access to the BioPlus network for over 2 weeks between October and November 2021, and possibly stole names, contact details, dates of birth, Social Security numbers, health insurance data, and prescription data. The Florida specialty pharmacy group informed the impacted persons within one month and provided them with complimentary credit monitoring services.

The lawsuit alleged that BioPlus should have avoided the breach and may have done so if acceptable cybersecurity procedures were put in place and industry-standard security guidelines were adopted. BioPlus did not accept the allegations; nevertheless, a settlement was offered to end the legal action. BioPlus refused any liability or wrongdoing associated with the cyberattack and data breach.

The stipulations of the proposed settlement allow class members to file claims of approximately $7,550 and will be repaid for out-of-pocket costs incurred due to the data breach. The maximum claims allowed will depend on whether Social Security numbers were exposed. If they were, class members are permitted to get a cash payment of $50 and can claim as much as $7,500 for recorded expenditures sustained because of the data breach, including 3 hours of lost time valued at $25 per hour, and any unreimbursed expenses to identity theft and scam.

Class members who didn’t have their Social Security numbers breached cannot claim a cash payment and claims will be limited to a maximum of $750, which includes 2 hours of lost time worth $25 an hour. Any individual who wishes to object to or be ruled out from the settlement must do so by June 18, 2024, and all claims should be sent in by the same date. The court gave the settlement preliminary approval. The schedule of the final settlement hearing is on August 22, 2024. Morgan & Morgan and Markovits, Stock, & DeMarco LLC attorneys represent the plaintiff and class.