On January 26, 2022, Kathleen Tucker’s attorneys filed a class-action lawsuit against Memorial Health System (MHS), a not-for-profit healthcare organization based in Marietta, Ohio, that operates three hospitals, one stand-alone emergency room, and 64 clinics in Ohio and West Virginia. Tucker alleges that MHS failed to protect her personally identifiable information (PII) and protected health information (PHI) from cyberattacks, specifically a ransomware attack by Hive that took place on August 14, 2021.
On August 14, 2021, MHS IT personnel discovered malware on MHS computers and began investigating. On August 15, MHS announced the cyber breach and notified the public that “temporary disruptions” would occur. These disruptions included the cancellation of urgent surgical cases and radiology appointments on August 16, 2021, a temporary shift to the use of paper medical charts, and diversion of patients to emergency departments at other hospitals. At that time, MHS announced that patient and employee data had not, as far as MHS knew, been compromised.
However, on August 16, the BleepingComputer website published a news report stating that patient data was “likely stolen,” based on evidence showing that databases containing “information belonging to 200,000 patients” had been exfiltrated in the cyber attack.
On August 18, 2021, MHS updated the public via a press release, stating that “a negotiated solution” was underway. Once again, MHS stated that employee and patient data had not been compromised.
On August 25, 2021, the FBI’s Cyber Division issued a FLASH alert describing the characteristics of a Hive ransomware attack and providing technical information, a sample ransom note, and suggestions for what to do in case of a Hive ransomware attack.
While MHS was not specifically mentioned in the FLASH alert, the timing of the alert and the release of a news item about the FLASH alert on the American Hospital Association’s (AHA) website suggest that the FBI and AHA were trying to spread helpful information about protecting against Hive ransomware attacks as quickly as possible.
MHS patient notification
On January 12, 2022, MHS published a Notice of Data Privacy Event on its website. This Notice chronicles the events related to the Hive ransomware attack, including the fact that information about the potential acquisition of PII and PHI by Hive was not communicated to the affected individuals until December 9, 2021, or later. According to MHS, December 9, 2021, was the first day that information about the Hive ransomware attack was sent to potentially affected individuals.
The HIPAA Breach Notification Rule requires covered entities that experience a data breach to notify affected individuals within 60 days of the conclusion of the entity’s investigation. MHS concluded its investigation on November 1, 2021, and therefore is in compliance with the Breach Notification Rule.
Lawsuit highlights adverse impacts of the Hive ransomware attack
According to court documents, Kathleen Tucker claims that her PII and PHI were stolen in the Hive ransomware cyber attack. She accuses MHS of negligence for failing to protect her PII and PHI and that of other patients, especially given that healthcare systems are often targeted in cyber attacks.
Tucker’s attorneys claim that she has had to spend many hours changing passwords, replacing credit cards, and otherwise responding to the reality that Hive has potentially acquired her PII and PHI. In addition, Tucker has had to deal with telephone calls, emails, and fraudulent charges that appear to be related to the Hive ransomware attack. Finally, Tucker has incurred costs and suffered emotional damage due to the threat of identity theft and fraud that has resulted from the Hive ransomware attack.
Tucker is seeking compensatory and punitive damages for herself and the Class as well as reimbursement for the out-of-pocket costs they have incurred. She is also asking for improvements to MHS’s data security procedures and systems, including audits.
Safeguard your email with Paubox
MHS isn’t the only provider or business associate facing a lawsuit over a data breach. BioPlus Specialty Pharmacy Services was sued in late December 2021, and US Fertility and Accellion were sued earlier in that year. In each lawsuit, the defendants were accused of failing to protect their clients’ PII and PHI.
Covered entities must focus on continuous data security improvement in order to fulfill their responsibility to keep PII and PHI safe from hackers and data thieves. This involves regularly backing up data and storing it offline, training employees on data security best practices, and developing a business continuity plan. Of course, using firewalls and antivirus software is essential.
Finally, covered entities should prioritize robust email security since threat actors often use emails to infiltrate targeted data systems.
Paubox Email Suite guarantees encryption on all of your outbound email messages, ensuring that every message is HIPAA compliant. Our patented HITRUST CSF certified solution helps your organization avoid becoming a ransomware victim.
Paubox Email Suite integrates with popular email platforms such as Microsoft 365 and Google Workspace, which means you don’t have to change your email address or worry about asking your patients to use separate passwords or special portals to access your messages.