Federal Judge Tosses CommonSpirit Health Data Breach Lawsuit Due to Lack of Standing
A federal court judge has recommended a class action lawsuit against CommonSpririt Health over its 2022 data breach should be dismissed due to the failure of the plaintiff to demonstrate that they had been harmed by the data breach.
CommonSpirit Health suffered a ransomware attack on October 2, 2022, that affected more than 100 CommonSpirit Health facilities across the United States. A threat actor gained access to its systems on September 16, 2022, and had access to those systems until October 3, 2022. The forensic investigation and document review confirmed that the protected health information of more than 623,000 patients had been exposed. The exposed data included full names, addresses, healthcare providers, medical record numbers, treatment/prescription information, dates of medical services, other health insurance information, and patient’s facility/account numbers.
Multiple class action lawsuits were filed against CommonSpririt Health over the cyberattack and data breach which made similar claims. The lawsuits alleged CommonSpirit Health was negligent due to the failure to implement reasonable and appropriate safeguards to ensure the privacy of the protected health information it held and delayed issuing breach notifications, which were not sent until April 5, 2023.
One of those lawsuits, Bonnie Maser v. CommonSpirit Health, alleged that the plaintiff suffered injuries as a result of the breach, including more than $3,000 in bank account fraud that led to the closure of her account. As a result of the fraud, the plaintiff could not afford to pay her rent, lost her housing, her credit score dropped 60 points, and she claimed to continue to suffer harm, including panic attacks caused by the stress of the data breach. Maser’s lawsuit alleged negligence, breach of implied contract, breach of the implied covenant of good faith and fair dealing, and unjust enrichment.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
CommonSpirit Health argued that the plaintiff failed to allege a concrete or imminent harm to support Article III standing, failed to adequately allege the minimum amount in controversy under the Class Action Fairness Act, and failed to state a claim upon which relief could be granted. U.S. Magistrate Judge Suan Prose recommended that the lawsuit be dismissed due to a lack of Article III standing, as the plaintiff failed to demonstrate that the fraudulent charges were fairly traceable to the data breach.
This was the second such lawsuit against CommonSpirit Health to be tossed due to a lack of standing. Two lawsuits against CommonSpirit Health that were filed in Illinois and were consolidated into a single lawsuit – Jose Antonio Koch individually and on behalf of his two minor children, and another by Leeroy Perkins – was also dismissed due to a lack of standing by District Court Judge Harry D. Leineweber.
