Share this article on:
A lawsuit has been filed in the Western Division of U.S. District Court for the Northern District of Alabama against DCH Health System over a ransomware attack on October 1, 2019.
The ransomware attack on the 3-hospital health system forced it to take its systems offline for a period of 10 days while systems were rebuilt and data was recovered. During that time, some non-emergency appointments had to be cancelled and patients experienced delays receiving treatment and, in some cases, had to seek medical services from other medical facilities in the state.
It is the delay to treatment that has spurred the lawsuit. Four patients are named in the lawsuit and allege they have suffered harm as a result of the shutdown of its systems, which disrupted their daily lives and forced them to forego medical care and treatment or seek care and treatment from alternative facilities during the ten days when DCH Health System’s systems were offline.
One of the plaintiffs, who filed on behalf of her daughter, was told that the ransomware attack was causing delays in the emergency room and that she would be required to wait around 5 hours for her daughter to receive treatment for an allergic reaction that had caused severe swelling and forced her daughter’s eyes shut. If she was unable to wait, she was told that she could travel from Tuscaloosa to Birmingham to receive medical treatment or visit Walgreens. The patient claims that as a result of the delay receiving treatment it took 3 days before the swelling started to go down.
One patient who was staying at the hospital after surgery said that as a result of her medical records being inaccessible, she was unable to be prescribed medications during her stay. Another patient had gone to the emergency room and had x-rays taken a few days before the attack, but her orthopedic treatment was delayed as a result of the attack. The lawsuit also alleges that the plaintiffs’ protected health information was potentially compromised in the attack.
The plaintiffs claim that DCH Health System violated state laws and HIPAA and the failure to implement appropriate cybersecurity measures to safeguard its systems and data amounted to negligence. The lawsuit also alleges an invasion of privacy, breach of contract, and breach of fiduciary duty.