Four Patients File Lawsuit Claiming Ransomware Attack Against Alabama Hospital System Disrupted Their Medical Care
In October 2019, a ransomware attack forced a multi-hospital health system to be offline for 10 days to allow the system to be re-built and recover patient data. While the system was offline, some non-emergency appointments were cancelled, patients’ treatments were delayed, and some patients were forced to seek medical care from medical providers in other parts of the state.
The four plaintiffs named in the lawsuit
allege that these delays are the reason for the lawsuit being filed. The
plaintiffs claim that the health system’s violation of state laws and the Health
Insurance Portability and Accountability Act (HIPAA) due to
the system’s failure to implement appropriate cybersecurity measures for
protecting its systems and data constituted negligence. The lawsuit also
alleges that plaintiffs’ protected health information (PHI) was compromised,
along with a breach of contract and breach of fiduciary duty.
One patient was a girl who experienced a severe allergy reaction. Her mother, one of the plaintiffs, claims the delay caused the girl to suffer for 3-days until her swelling resolved. Another patient in the hospital following surgery says her prescribed medications were not available during her stay. Still another patient who had visited the emergency room and had x-rays taken claims her orthopedic treatment was delayed due to the ransomware attack.
Compliance Perspective
Failure to have appropriate cybersecurity measures in place to protect patient data and prevent a disruption in the provision of medical services in the event of a ransomware attack may be considered a violation of state and federal regulations and result in lawsuits and assessment of civil money penalties.
Discussion Points:
- Review policies and procedures to ensure that the appropriate measures have been implemented to prevent a ransomware attack and disruption in the provision of medical services, and to safeguard the protected health information (PHI) of patients.
- Train staff on the protocols to follow to prevent or respond to a ransomware attack.
- Periodically audit to determine that data and all PHI are appropriately and timely backed-up and safeguarded from ransomware and other malicious cyber-attacks.
UNDERSTANDING AND PREVENTING RANSOMWARE, APTS, AND ZERO DAY EXPLOIT ATTACKS
