Ascension faces class action lawsuits for Black Basta ransomware attack
The cyberattack that brought down the Ascension IT Systems was "foreseeable and preventable," complaints say.
Photo: eclipse_images/Getty Images
Ascension is facing two class action lawsuits for the May 8 ransomware attack that reportedly continues to disrupt operations due to disconnection from the Epic EHR and cause long ER wait times for some of the health system's 140 hospitals.
On May 12, Katherine Negron filed a class action complaint against Ascension in the U.S. District Court for the Northern District of Illinois. On May 13, Ana Marie Turner filed a similar lawsuit in federal court for the Western District of Texas. Both civil suits, filed by the Law Offices of T.J. Jesky in Chicago, seek monetary damages and demand a jury trial.
The Black Basta ransomware attack brought down the Ascension IT Systems, the complaints said, citing the FBI and Cybersecurity and Infrastructure Security Agency (CISA).
The lawsuits allege that Ascension failed to safeguard personal identifying information and protected health information. Because of the cyberattack, the plaintiffs were unable to effectively communicate with their healthcare providers through the MyChart patient portal or receive the requisite medical care and attention they needed, the complaint said.
WHY THIS MATTERS
The ransomware attack resulted in the unauthorized disclosure of PHI, including names, dates of birth, patient records and Social Security numbers, the lawsuits said.
"Plaintiff and the Class also now forever face an amplified risk of further misuse, fraud and identity theft due to their sensitive Personal Information falling into the hands of cybercriminals as a result of the tortious conduct of the defendant," said the Negron lawsuit.
Ascension failed to implement "reasonable and industry standard data security practices," the lawsuit said. "The Data Breach was a direct result of Defendant's failure to implement adequate and reasonable cyber-security procedures and protocols necessary to protect patients' Private Information from a foreseeable and preventable cyberattack."
In addition, according to the complaint, "(the) Defendant maintained the Private Information in a reckless manner. In particular, the Private Information was maintained on Defendant's computer network in a condition vulnerable to cyberattacks."
The plaintiffs also want improvements to Ascension's data security systems, future annual audits and adequate credit-monitoring services.
THE LARGER TREND
The cyberattack affected one of the largest health systems in the country on the heels of a February ransomware attack that continues to impact Change Healthcare. Change is owned by Optum, which is affiliated with the largest insurer in the nation, UnitedHealthcare.
Change, which offers claims management, was immediately taken offline after the ransomware attack. While systems are coming back online, the disruption continues to affect hospital and physician practice revenue due to delays in claims payment.
UnitedHealth Group CEO Andrew Witty confirmed the company paid a $22 million ransom in bitcoin to protect personal health information.
Email the writer: SMorse@himss.org