Ascension Patients Couldn't Access Records After Data Breach: Class Action
A data breach this month at Ascension Health prevented patients from completing health-related tasks and puts them at risk of future harm, said a negligence class action Thursday (docket 4:24-cv-00724) in U.S. District Court for Eastern Missouri in St. Louis.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The healthcare system detected “unusual activity” on several of its IT systems on May 8 and posted to its website May 9 that some systems were “interrupted” as a result of its response to the cybersecurity event. The defendant’s subsequent investigation determined that all 142 of its hospitals were “impacted," affecting "electronic medical records accessibility, phone systems, and systems used to book tests, procedures, and medications, and elective procedures,” the complaint said.
Ascension failed to safeguard patients’ private information and failed to provide “timely notice” of the breach, alleged the complaint. Though Ascension sought to minimize the damage from the breach, there was unauthorized access to plaintiffs’ and class members' private information, and they remain at risk that their data will be “sold or listed on the dark web, and ultimately, illegally used in the future,” it said.
Plaintiff Daniel Brown of Coffeyville, Kansas, was unable to proceed with a scheduled sleep study on May 17 and unable to reschedule the appointment because he couldn’t access his account via Ascension’s patient portal, alleged the complaint. Due to the data breach, Iman Ayuk, a Taylor, Michigan, resident, couldn’t contact her medical providers and view her health records; Racine, Wisconsin, resident Kerry Lovell couldn’t communicate with her providers to obtain prescription refills online; and Richard Meade of Lockport, Illinois, couldn’t access his health records, the complaint alleged.
Also as a result of the breach, the four plaintiffs have been forced to, and will continue to, invest “significant time” monitoring their accounts to detect and reduce the consequences of “likely identity fraud,” the complaint said. The plaintiffs wouldn’t have used Ascension’s services if they had known the healthcare system would expose their private information, the complaint said.
The plaintiffs and class members are at imminent and continuing risk of harm for identity theft and medical fraud caused by Ascension’s “wrongful actions” and must act to “recover their peace of mind and personal security” by purchasing credit monitoring services, frequently obtaining credit reports and bank statements, instituting credit freezes, and closing or modifying financial accounts, the complaint said.
In addition to negligence, the plaintiffs assert claims of unjust enrichment, breach of implied contract and the implied covenant of good faith and fair dealing, invasion of confidence, and violation of the Missouri Merchandise Practices Act. They seek statutory damages or penalties to the extent available, prejudgment interest and an order of restitution.