Filed on Aug. 28, by the Savannah-based personal injury firm of Harris Lowry Manton LLP, the lawsuit alleges that SJ/C, the region's largest health care system, violated its privacy policy and acted negligently when it failed to adequately secure patients' information and take preventive measures to avoid the ransomware attack and data breach, which was detected on June 17. Subsequent investigations revealed that the unauthorized party gained access to the hospital system's IT network between Dec. 18, 2020, and June 17, 2021.
According to the lawsuit, patients suffered an increased risk of identity theft and medical identity theft, and "have been forced to expend, and must expend in the future, to monitor their financial accounts, health insurance accounts, and credit files as a result of the data breach." No specific instances of identity theft were cited in the lawsuit.
Plaintiffs further allege the hospital neglected to "design, adopt, implement, control, direct, oversee, manage, monitor and audit appropriate data security process, controls, policies, procedures, protocols and software and hardware systems" to protect patients' information. That information could include, according to a letter sent by CEO Paul Hinchey on Aug. 10, a patient's name, address, birth date, social security and driver's license numbers, billing accounts, health insurance plans, and medical records, among other personal and financial details. In the letter, Hinchey said the hospital had returned to "fully operational" status.
Emails and phone calls to the law firm that filed the suit were not returned. St. Joseph's/Candler's spokesperson, Scott Larsen, said that the hospital does not comment on pending litigation.
Soumitra Bhuyan, assistant professor at the Edward J. Bloustein School of Planning and Public Policy at Rutgers University, previously told the Savannah Morning News, on average it takes about 96 days to identify the data breach. In some cases, it can take longer.
"There are hospitals that did not identify that a breach happened for a year," she said.
The health care system is offering patients a one-year membership to Experian's IdentityWorks, which helps detect possible misuse of personal info.
The plaintiffs in the class-action lawsuit are seeking a jury trial, unspecified amount of monetary relief for punitive damages, restitution and disgorgement, and payment of attorney fees.
©2021 Savannah Morning News, Distributed by Tribune Content Agency, LLC.
