January 24th – In the U.S. state of Massachusetts, Anna Jacques Hospital experienced a shutdown of its electronic record systems and networked computers late last year.
The attack forced administrators to redirect ambulances to other hospitals until service was restored two days later.
A ransomware extortion group known as Money Message publicly admitted that it catalyzed the breach. Neither the hackers nor the hospital disclosed how much of a ransom was demanded.
The proposed class action lawsuit alleges negligence and breach of implied contract and good faith on the part of the hospital, as it failed to effectively safeguard data.
The suit seeks $5.4 million, or $200 each, in damages for an assumed class of 27,000 plaintiffs. At this time, the actual number of individuals whose personal data was compromised remains unknown – it could be far above the estimated figure.
The complaint also requests for the court to order the hospital to improve its data security system.
The hospital allegedly concealed “…the existence and extent of the data breach for an unreasonable duration of time” and is said to have failed to provide accurate notice of the breach.
The lawsuit claims that the hospital has still not yet notified its patients about the data breach.
A hospital spokesperson has stated that if it finds that data has been impacted by the incident, it will send required notifications in accordance with state and federal laws.
The data that may have been exposed or stolen through this incident includes personal health information, such as medical records and history, test results, procedure descriptions, diagnoses and personal or family medical histories.
It’s also possible that personally identifiable information (PII), such as social security numbers, passport numbers, driver’s license numbers and financial account numbers were breached.
The individual who initiated the lawsuit claims that he only found out about the breach from local news reports and asserts that it’s “likely” that some of the exposed information has already been misused.