UHS Data Breach Lawsuit Allowed to Proceed but only for Patient Whose Surgery was Cancelled

A lawsuit filed against Universal Health Services (UHS) following a 2020 data breach has been allowed to proceed; however, only for one of the patients named on the lawsuit.

UHS operates around 400 hospitals and care centers in the United States and the United Kingdom. In September 2020, UHS suffered a ransomware attack in which sensitive data was exfiltrated. The Ryuk ransomware gang threatened to release the stolen data on a leak site if the ransom was not paid, although the UHS investigation found no evidence of any data misuse.

The attack affected all 400 UHS care sites and caused significant disruption, with IT systems finally being brought back online a month after the attack. UHS was forced to postpone some scheduled appointments as a result of the attack.

A lawsuit was filed in the U.S. District Court, Eastern District of Pennsylvania by the law firm Morgan & Morgan naming three patients as plaintiffs – Graham v. Universal Health Service Inc. The lawsuit alleged negligence, breach of implied contract, breach of fiduciary duty, and breach of confidence. Two of the plaintiffs sought damages for the exposure of sensitive data, which they claimed placed them at an increased risk of identity theft and fraud.

As is often the case in data breach lawsuits, the claims of two of the plaintiffs – Barry Graham and Angela Morgan – were deemed to be too speculative and that an increased risk of identity theft and fraud was not sufficient for standing as it did not constitute harm. The plaintiffs were unable to provide evidence to support their claim, with U.S. District Judge Gerald McHugh noting that in cases of data theft in ransomware attacks, the theft of data is “generally the means to an end: extorting payment,” and that the courts could only speculate as to whether the stolen data was in a form that would allow the attackers to make unauthorized transactions in the names of the plaintiffs and whether they would actually be intended targets in future criminal acts by the hackers.

The claim of the third plaintiff, Stephen Motkowicz, was determined to be sufficient to survive the motion to dismiss. Motkowicz had an appointment for a surgical procedure postponed as a result of the attack. Motkowicz required surgery to treat a medical condition and, as a result of the delay, was forced to take further time off work and ultimately lost his health insurance through his employer and was forced to purchase an insurance policy at a higher price.

“Plaintiff’s injury is not speculative, as his financial expenditures allegedly occurred in response to the data breach and the corresponding cancellation of his surgery,” said Judge McHugh. While his claim was sufficient to survive the motion to dismiss, Judge McHugh said the theory of causation provided a significant challenge, which would have to be evaluated through further discovery to determine if it was sufficient to have standing.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.