HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Memorial Health System Faces Class Action Lawsuit Over August 2021 Cyberattack

Marietta Area Health Care Inc., doing business as Memorial Health System, is facing a class action lawsuit over a cyberattack and data breach that was detected by Memorial Health System on August 14, 2021.

The investigation into the attack confirmed the attackers first gained access to company servers on or around July 10, 2021, and installed malware on its systems. Unauthorized access remained possible until August 15, 2021.

The breach notification letters state Memorial Health System learned on September 17, 2021, that the threat actor potentially accessed or acquired information from its systems. The review of the affected systems was completed on November 1, 2021, and affected individuals were notified on January 12, 2022, and were offered a 12-month complimentary membership to a credit monitoring service. The breach notice submitted to the Maine attorney general indicates the personal information of 216,478 was potentially accessed by the attackers.

The lawsuit was filed in the U./S. District Court of the Southern District of Ohio, Eastern Division against Marietta Area Health Care Inc. dba Memorial Health System on behalf of plaintiff Kathleen Tucker and other individuals affected by the breach.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The lawsuit alleges the plaintiff’s and class members’ personal information, which included names, dates of birth, medical record numbers, patient account numbers, Social Security Numbers, and medical information, was compromised and unlawfully accessed, and that the plaintiff and class members, “suffered ascertainable losses in the form of the loss of the benefit of their bargain, out-of-pocket expenses and the value of their time reasonably incurred to remedy or mitigate the effects of the attack.”

The lawsuit alleges Memorial Health System was negligent for maintaining the private information of patients in a reckless manner by storing the information on systems that were vulnerable to cyberattacks. The lawsuit alleges the risk of cyberattacks was known to the defendant yet the necessary steps to secure private information were not taken. In addition to the negligence claim, the lawsuit alleges negligence per se, breach of implied contract, and unjust enrichment.

The plaintiff and class members are alleged to now be exposed to a heightened and imminent risk of fraud and identity theft and must now and in the future closely monitor their financial accounts to guard against identity theft. Out-of-pocket expenses have also been incurred, including the cost and time of arranging credit monitoring services, credit freezes, and credit reports.

The lawsuit seeks a jury trial and compensatory damages, treble damages, punitive damages, reimbursement of out-of-pocket costs, and injunctive relief, which should include improvements to Memorial Health System’s data security systems, future annual audits, and providing adequate credit monitoring services to individuals affected by the breach.

The lawsuit was filed by attorney Joseph M. Lyon of The Lyon Firm, LLC. The law firm of Console & Associates, P.C. has also initiated an investigation into the cyberattack and data breach.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.