HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Lawsuit Filed Against DCH Health System Over October Ransomware Attack

A lawsuit has been filed in the Western Division of U.S. District Court for the Northern District of Alabama against DCH Health System over a ransomware attack on October 1, 2019.

The ransomware attack on the 3-hospital health system forced it to take its systems offline for a period of 10 days while systems were rebuilt and data was recovered. During that time, some non-emergency appointments had to be cancelled and patients experienced delays receiving treatment and, in some cases, had to seek medical services from other medical facilities in the state.

It is the delay to treatment that has spurred the lawsuit. Four patients are named in the lawsuit and allege they have suffered harm as a result of the shutdown of its systems, which disrupted their daily lives and forced them to forego medical care and treatment or seek care and treatment from alternative facilities during the ten days when DCH Health System’s systems were offline.

One of the plaintiffs, who filed on behalf of her daughter, was told that the ransomware attack was causing delays in the emergency room and that she would be required to wait around 5 hours for her daughter to receive treatment for an allergic reaction that had caused severe swelling and forced her daughter’s eyes shut. If she was unable to wait, she was told that she could travel from Tuscaloosa to Birmingham to receive medical treatment or visit Walgreens. The patient claims that as a result of the delay receiving treatment it took 3 days before the swelling started to go down.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

One patient who was staying at the hospital after surgery said that as a result of her medical records being inaccessible, she was unable to be prescribed medications during her stay. Another patient had gone to the emergency room and had x-rays taken a few days before the attack, but her orthopedic treatment was delayed as a result of the attack. The lawsuit also alleges that the plaintiffs’ protected health information was potentially compromised in the attack.

The plaintiffs claim that DCH Health System violated state laws and HIPAA and the failure to implement appropriate cybersecurity measures to safeguard its systems and data amounted to negligence. The lawsuit also alleges an invasion of privacy, breach of contract, and breach of fiduciary duty.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.