Ascension faces class action lawsuits over Black Basta ransomware attack

Ascension is facing two class action lawsuits over the May 8 ransomware attack, which reportedly continues to disrupt operations due to disconnection from Epic EHR and is causing long ER wait times at some of the health system’s 140 hospitals .

On May 12, Katherine Negron filed a class action lawsuit against Ascension in the U.S. District Court for the Northern District of Illinois. On May 13, Ana Marie Turner filed a similar lawsuit in federal court for the Western District of Texas. Both civil suits, filed by the Law Office of TJ Jesky in Chicago, seek monetary damages and demand a jury trial.

According to the complaints, citing the FBI and the Cybersecurity and Infrastructure Security Agency (CISA), the Black Basta ransomware attack caused Ascension’s IT systems to crash.

The lawsuit alleges that Ascension failed to safeguard personal and health information. The complaint states that due to the cyberattack, plaintiffs were unable to effectively communicate with their healthcare providers through the MyChart patient portal or obtain necessary medical care and attention.

WHY IT MATTERS

According to the lawsuits, the ransomware attack led to the unauthorized disclosure of PHI, including names, dates of birth, patient information, Social Security numbers and other PHI.

“Plaintiff and the Class also forever face an increased risk of further abuse, fraud and identity theft due to their sensitive personal information falling into the hands of cybercriminals as a result of Defendant’s tortious conduct,” Negron’s lawsuit stated.

The lawsuit said Ascension failed to implement “reasonable and standard data security practices.” “The data breach was a direct result of Defendant’s failure to follow appropriate and reasonable cybersecurity procedures and protocols necessary to protect patients’ private information from a foreseeable and preventable cyberattack.”

Moreover, according to the complaint, “() Defendant maintained the Private Information recklessly. In particular, the Private Information was stored on the Defendant’s computer network in a state vulnerable to cyber attacks.”

The plaintiffs also want improvements to Ascension’s data security systems, future annual audits and adequate credit monitoring services.

A BIGGER TREND

A cyberattack has hit one of the nation’s largest healthcare systems, on the heels of a February ransomware attack that continues to impact Change Healthcare. The change is owned by Optum, which is affiliated with the nation’s largest insurer, UnitedHealthcare.

Change, which offers claims management, was immediately shut down after the ransomware attack. Although systems are coming back online, disruptions continue to impact hospital and medical practice revenues due to delays in compensation payments.

UnitedHealth Group CEO Andrew Witty confirmed that the company paid a ransom of $22 million in bitcoin to protect personal health information.

Email the author: [email protected]