Class Action Lawsuit Filed Against St. Joseph’s/Candler over Ransomware Attack Affecting 1.4 Million Patients

A class action lawsuit has been filed against St. Joseph’s/Candler Hospital Health System in response to a ransomware attack that occurred on June 17, 2021.

The attack resulted in the encryption of files and forced the hospital’s IT systems offline. The systems accessed by the hackers contained the protected health information of 1.4 million patients, including names, Social Security numbers, driver license numbers, health insurance information, healthcare data, and financial information. St. Joseph’s/Candler offered affected patients a one-year membership to the Experian IdentityWorks credit monitoring and identity theft protection service.

The investigation into the ransomware attack confirmed the hackers first accessed its network on December 18, 2020, 6 months prior to the ransomware being deployed. During that time the hackers had access to patient data stored on its systems.

Georgia resident Daniel Elliott was one of the patients whose PHI was compromised in the attack. On August 28, 2021, the personal injury firm Harris Lowry Manton LLP, filed a class action lawsuit against St. Joseph’s/Candler naming Elliott as lead plaintiff. The lawsuit seeks damages for him and the 1.4 million other individuals affected by the ransomware attack.

St. Joseph’s/Candler, which operates Savannah Hospital in Georgia, is the largest health system in the region. The lawsuit alleges St. Joseph’s/Candler was negligent for failing to adequately secure patient data and for not taking sufficient steps to prevent ransomware attacks.

Specifically, the lawsuit states St. Joseph’s/Candler, failed to “design, adopt, implement, control, direct, oversee, manage, monitor and audit appropriate data security process, controls, policies, procedures, protocols and software and hardware systems” to protect sensitive patient data. The alleged failures resulted in the exposure and potential theft of patient data, which has put affected patients at an increased risk of suffering identity theft and medical identity theft. Patients have had to expend money to protect their identities, and must continue to expend in the future, monitor their financial accounts, health insurance accounts, and credit files as a consequence of the data breach.

Elliott and members of the class action lawsuit seek a jury trial, unspecified monetary relief for punitive damages, reimbursement of expenses, restitution and disgorgement, and legal fees.

The lawsuit is one of several to be recently filed against healthcare providers that have suffered ransomware attacks. A class action lawsuit was recently filed against Attleboro, MA-based Sturdy Memorial Hospital over a February 2021 ransomware attack in which the PHI of 35,271 patients was potentially compromised. In that attack, the hospital paid the ransom to recover the encrypted data and prevent it being published or sold. 2 years of credit monitoring services were offered to affected patients, but the lawsuit seeks extended cover as well as unspecified damages and attorneys’ fees.

Two individuals affected by the recently disclosed ransomware attack on DuPage Medical Group have also filed a lawsuit that seeks class action status and unspecified damages. The ransomware attack occurred in mid-July and the systems compromised in the attack contained the protected health information of 655,384 individuals.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.