Share this article on:
A lawsuit has been filed against the New Jersey Healthcare provider, Hackensack Meridian Health, over a December 2, 2019 ransomware attack that affected all 17 of its hospitals.
The ransomware attack temporarily disrupted medical services while its systems were offline and access to medical records was prevented. Systems remained down for several days while data was recovered, and systems were restored. Medical services continued to be provided with staff reverting to pen and paper to record patient information. However, some non-emergent medical procedures had to be cancelled.
Prompt action was taken to secure its systems and recover data and physicians, nurses, and clinical teams worked round the clock to ensure patient safety was maintained during the attack and recovery process. In order to restore systems in the fastest possible timeframe and prevent ongoing disruption to medical services, the decision was taken to pay the ransom. Hackensack Meridian Health had a comprehensive insurance policy in place, which helped cover the cost of the ransom payment, and its remediation and recovery efforts.
Forensic experts were engaged to assist with the investigation and determine whether any patient information had been compromised. No evidence was found to indicate any patient information was stolen by the attackers.
While it would appear that Hackensack Meridian Health took reasonable steps to limit the harm caused to patients and restore systems and data in the shortest possible time frame, it was not enough to prevent legal action.
Two plaintiffs have been named in a proposed class-action lawsuit filed in a district court in Newark that seeks compensation, reimbursement of out-of-pocket expenses, statutory damages and penalties, and injunctive relief requiring Hackensack Meridian Health to make improvements to its security systems, undergo annual data security audits, and provide three years of complimentary credit monitoring services to breach victims.
The plaintiffs allege Hackensack Meridian Health maintained its network in a “reckless manner” which left its systems vulnerable to attack and that the health system failed to adequately protect patient information. The lawsuit also alleges the attack caused major disruption to the medical care provided to patients, forcing them to seek alternative care and treatment.
Hackensack Meridian Health’s investigation uncovered no evidence to suggest data theft, but the plaintiffs allege their personal and protected health information has been stolen by the attackers and disclosed to “other unknown thieves,” which has placed them at heightened and imminent risk of identity theft and fraud.
The plaintiffs also allege the ransomware attack was not been reported the Department of Health and Human Services’ Office for Civil Rights, as is required by HIPAA and affected patients have not been notified about the attack.
As of February 19, 2020, the incident yet to appear on the OCR breach portal, although that does not necessarily mean the incident has not been reported as there is often a delay between a report being submitted to OCR and it being uploaded to the breach portal.
Breach notifications are often delayed while data breaches are investigated. It can take some time to determine which patients have been affected and to obtain up to date contact information in order to mail notifications. Patient notifications are usually required for ransomware attacks per previous OCR guidance, but they are not mandatory, provided covered entities can demonstrate there was a low probability that PHI has been compromised.
It is becoming increasingly common for patients to take legal action against covered entities over ransomware attacks. Several lawsuits have been filed in recent weeks on behalf of patients that have been affected by ransomware attacks. With more threat groups opting to steal data prior to the encryption of files, the number of lawsuits will undoubtedly increase.