St. Joseph’s/Candler Faces Class Action Lawsuit over Ransomware Attack Impacting 1.4 Million Individuals

St. Joseph’s/Candler Hospital Health System is facing a class-action lawsuit because of a ransomware attack that took place on June 17, 2021.

Because of the attack, files were encrypted, which forced the hospital to take its IT systems off the internet. The hackers accessed the systems containing the protected health information (PHI) of 1.4 million individuals, such as names, driver license numbers, Social Security numbers, medical insurance data, healthcare information, and financial details. St. Joseph’s/Candler provided impacted patients with an Experian IdentityWorks credit monitoring and identity theft protection service membership for one year.

The ransomware attack investigation results confirmed that the hackers got access to its system on December 18, 2020, which is 6 months before deploying the ransomware. In that time, the hackers got access to the patient information kept on its systems.

Daniel Elliott, a resident in Georgia, was one patient who had his PHI compromised in the ransomware attack. The personal injury agency Harris Lowry Manton LLP, submitted a class action lawsuit versus St. Joseph’s/Candler where Elliott was named as lead plaintiff on August 28, 2021. According to the lawsuit, Elliot is seeking damages for himself and for the 1.4 million patients, which the ransomware attack affected.

St. Joseph’s/Candler, which manages Savannah Hospital in Georgia, is the region’s biggest health system. The lawsuit claims St. Joseph’s/Candler was at fault for failing to sufficiently protect patient information and for not taking adequate steps to avoid ransomware attacks.

Particularly, the lawsuit claims St. Joseph’s/Candler, was unable to “design, adopt, implement, control, direct, oversee, manage, monitor and audit appropriate data security process, controls, policies, procedures, protocols and software, and hardware systems” to keep sensitive patient information secure. The supposed failures caused the breach and probable theft of patient information, which has put impacted patients at a greater risk of experiencing identity theft and medical identity theft. Affected individuals had to spend money to secure their identities, and had to continually spend down the road, keep track of their financial accounts, medical insurance accounts, and credit files because of the breach incident.

Elliott and people who are part of the class-action lawsuit want a jury trial, unspecified financial relief for punitive damages, compensation for expenses, disgorgement and restitution, and legal charges.

The lawsuit is one of a number of newly filed against healthcare companies that have experienced ransomware attacks. A class-action lawsuit was lately filed versus Sturdy Memorial Hospital based in Attleboro, MA because of a February 2021 ransomware attack wherein 35,271 patients’ PHI was possibly exposed. In that ransomware attack, the hospital gave the ransom payment to retrieve the encrypted information and avoid its exposure or selling. The affected patients received two years of credit monitoring services, however, the lawsuit wants extended coverage along with unspecified damages and attorneys’ service fees.

Two people impacted by the lately disclosed DuPage Medical Group ransomware attack have likewise filed a lawsuit and want class-action status plus unspecified damages. The ransomware attack happened in the middle of July and the systems breached in the attack included the PHI of 655,384 people.