Communications Litigation Today was a Warren News publication.
'Double Extortion Tactic'

Ascension Health Data Breach Broke Trust of Millions of Patients: Class Action

Ascension Health broke the trust of millions of current and former patients last month when it announced hackers attacked its network systems, exposing patients' personally identifiable (PII) and protected health information (PHI), eight plaintiffs alleged in a negligence class action Friday (docket 4:24-cv-00870) in U.S. District Court for Eastern Missouri in Cape Girardeau.

Ascension “detected unusual activity” on its network May 8 when computer issues “that initially seemed like isolated incidents were quickly discovered to be happening all over the Ascension network across the country,” the complaint said. Later that day, after Ascension detected a ransomware attack that took down its electronic health record system, online patient portal and other systems used to order tests and medications, “essentially taking 140 hospital systems across the US entirely offline,” the complaint alleged. To date, it said, “the majority of Ascension’s facilities remain unable to access their electronic health record system” and have been “reliant solely on paper charting for over a month,” it alleged.

The healthcare system, which hosted 16.4 million doctor office and clinic visits last year, has not yet disclosed how long hackers had “unconstrained access to its systems before their activity was discovered,” the complaint said. Ascension is responsible for more than 3,000 U.S. healthcare facilities “and the data of tens of millions of current and former patients,” the complaint said.

Russian ransomware group Black Basta claimed the attack, the complaint said. The group is “well-known for its use of a double extortion tactic, wherein hackers encrypt critical data and vital servers and demand a ransom in exchange for restoring access to the encrypted systems and files," it said. Typically, hackers then threaten they will “publish or sell sensitive data on the Dark Web if an additional ransom is not paid," the complaint said.

The healthcare company’s “failure to employ adequate network segmentation ensured that hackers had access to not just one hospital’s system but the systems of hundreds of hospitals, outpatient clinics, virtual providers, and senior living facilities across the country,” the complaint alleged. Despite its “significant resources” of $28.3 billion revenue and $40.5 billion in assets in 2023, Ascension “failed to invest in adequate cybersecurity, which resulted in a massive data breach that has harmed millions of people” across the U.S., it said.

After recent high-profile cyberattacks across the healthcare industry -- including the Change Healthcare breach three months prior and “numerous warnings by government agencies" -- a data breach was a "known risk to Ascension,” the complaint said. Yet, Ascension “failed to take the necessary steps to secure” patients’ private information, the complaint said.

Plaintiffs Sue Croft, Maplesville, Alabama; Courtney Brown, Pensacola, Florida; Linda Sue Dunn, Mountain Home, Arkansas; Vikesha Exford, Midfield, Alabama; Tiffany Farrand, Milwaukee; Cheryl Hayes, Tulsa; Donald Pitchers, Evansville, Indiana; and Michele Rutherford, Wichita, Kansas, alleged they suffered concrete losses as a result of the breach, including invasion of privacy, theft of private information, and lost or diminished value of their PII and PHI. They also suffered lost time and opportunity costs associated with trying to mitigate the consequences of the breach, continued and increased risk to their private information, plus statutory and nominal damages.

To date, the plaintiffs haven’t received notice from Ascension about the breach, the complaint said. They learned about the breach in various ways: from browsing online, a Facebook post, a conversation between co-workers, news reports and word of mouth, the complaint said. All the plaintiffs assert they are at risk for identity theft and fraud now and in the future, as a result of the cyberattack.

The most recent notice on Ascension's website concerning the breach, dated June 14, says electronic health record access “has been restored across our ministries,” and that hospital and clinic workflow “will function similarly to the way it did prior to the ransomware attack.” Patients “should see improved efficiencies in appointment scheduling, wait times for appointments and prescription fulfillment,” but the investigation, “along with remediation of additional systems,” is ongoing, it said.

The plaintiffs assert claims of negligence and negligence per se; breach of implied contract; unjust enrichment; and violations of consumer protection laws in Missouri, Arkansas, Florida, Indiana, Kansas, Oklahoma and Wisconsin.

The plaintiffs seek on behalf of themselves and the class equitable relief enjoining Ascension from engaging in the wrongful conduct described, an order requiring it to implement and maintain a threat management program; awards of actual, nominal, statutory, consequential, and punitive damages; disgorgement and restitution of all earnings, profits, compensation and benefits received as a result of its unlawful acts; pre- and post-judgment interest; and attorneys’ fees and costs.