Multiple Lawsuits Filed Against Arkansas Hospitals Over Data Breaches
Multiple class action lawsuits have been filed against two healthcare providers in Arkansas – Mena Regional Health System (MRHS) and Howard Memorial Hospital – over cyberattacks in which patient data was compromised. The lawsuits are currently pending in the District Courts in Arkansas and were filed in response to two data breaches that were discovered in 2022.
MRHS discovered unauthorized access to its computer systems on November 8, 2022, and determined hackers had exfiltrated files from its systems more than a year earlier on October 30, 2021. The files included the protected health information of 84,814 patients, such as names, birth dates, Social Security numbers, financial account information, health insurance information, and diagnosis and treatment information. Notification letters were sent to affected individuals on November 22, 2022.
Howard Memorial Hospital in Nashville discovered a cyberattack and data breach in early December 2022 and determined hackers had access to its network for more than two weeks between November 14, 2022, and December 4, 2022. During that time, files were exfiltrated that contained a range of sensitive data including names, birth dates, Social Security numbers, health insurance information, medical record numbers, medical histories, and treatment information. Affected individuals were notified about the data breach on December 29, 2022. The breach was reported to the HHS’ Office for Civil Rights as affecting 53,668 individuals.
Several lawsuits have been filed against MRHS in response to the breach, including Cant et al. v. Mena Regional Health System et al (Carney Bates & Pulliam LLC and Lynch Carpenter, LLP), and another filed by Thiago Coelho of the Wilshire Law Firm. The lawsuits against MRHS make similar claims and allege the health system was negligent by failing to implement reasonable and appropriate cybersecurity measures to ensure patient data remained private and confidential. The lawsuits also take issue with the length of time taken to discover the cyberattack and data breach – more than one year. MRHS has already sought to have the lawsuits dismissed and claims they fail to allege any specific cybersecurity failure occurred and presume that there must have been a cybersecurity failure because there was a successful cyberattack, yet they fail to suggest anything that MRHS could have done differently to prevent the cyberattack.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Willbanks et al. v. Howard Memorial Hospital (The Sanford Law Firm) alleges negligence, breach of implied contract, and breach of fiduciary duty and claims the hospital maintained patient data in a careless manner. A lawsuit was also filed against Howard Memorial Hospital by Carney Bates & Pulliam LLC and Lynch Carpenter, LLP, on behalf of plaintiffs Bonita Martin, Bill Roberts, and Pamela Garza that makes similar claims.
According to Arkansas Business, at least 8 lawsuits are pending in the District Courts in Arkansas over these two data breaches. The lawsuits allege the victims of these breaches now face a substantial risk of fraud, identity theft, and other misuses of their personal data. The lawsuits seek class action status, damages, reimbursement of out-of-pocket expenses, injunctive relief, and attorneys’ fees. While the personal and protected health information of patients was stolen in these attacks, both health systems say they are unaware of any actual or attempted misuse of patient data. Lawsuits alleging future risk of identity theft and fraud often do not succeed and fail to get past the initial motions to dismiss.
