A quartet of patients has filed a class-action suit against an Alabama based hospital group detailing the harm they allegedly suffered after a ransomware attack hit their local hospitals.
According to a news story, patients seen at the three hospitals run by Ala.-based DCH Health System are claiming that the three hospitals disrupted their medical care and violated HIPAA rules. In their complaint, the four accuse the health system of negligence, invasion of privacy, breach of contract and breach of fiduciary duty.
One of the parties, patient Geraldine Daniels, alleged that she could not get post-surgical medications after the attack and that all of her medical files were lost or impossible to access during her stay.
Sheneka Frieson, who on behalf of a 7-year-old girl, contended that girl was harmed when the ED turned away most patients and was running a four- or five-hour wait for others. She had experienced a severe allergic reaction which had closed her eyes to swell shut. A nurse allegedly told Frieson that her only options were to take the child to Walgreens or drive to a distant ED.
Another, Kimberly Turner, visited the ED for x-rays days before the ransomware attack hit. She alleges that her follow-up orthopedic treatment was disrupted by the malware.
The fourth plaintiff, Mary Williams, didn’t offer details of how the ransomware attack had harmed her, but contended that her medical records were compromised and her medical care disrupted, the news article reports.
The suit stems from an October 1 ransomware attack which forced the three facilities to close to all but the most critical new patients. The attack involved Ryuk ransomware code, malware which damages about one in every eight files it encrypts, according to an article in HealthcareITNews.
During the critical period after the attack, the hospitals asked ambulances to take patients to other hospitals if possible and warned that patients arriving at their emergency departments might be transferred to other hospitals once stabilized. The closures lasted 10 days.
To end the attack, the hospital group agreed to pay an undisclosed sum to the attackers. According to the piece, this included buying a decryption key from the attackers to speed their recovery from the attack.
The filing of the class action raises questions about hospitals’ liability after cybersecurity failures. For example, can they limit their exposure to such claims if they can demonstrate that they’d met common standards for data security protections? What if they meet HIPAA requirements but don’t spend a lot on training? I’m not an attorney, so I have no idea where the case law stands on this, but my guess is that there are still many important issues in flux. Much to consider here!
It is prudent today to purchase Cyber Risk Insurance. The downtime procedures should be reviewed monthly, and
business continuity hardware, software and procedures should be treated as part and parcel of emergency
management.