A proposed class action lawsuit filed this week against St. Joseph’s/Candler Health System in the wake of a recent ransomware breach affecting 1.4 million individuals alleges that the Georgia-based healthcare entity was “reckless” and “negligent” in safeguarding patients’ information.
The lawsuit, filed against St Joseph’s/Candler on Tuesday in a federal Georgia court by patient Heather Betz on behalf of herself and others similarly situated, alleges, among other claims, that the entity failed to act on warnings by federal authorities and cybersecurity experts of the ransomware threats facing the sector.
The lawsuit seeks damages and five years of credit and identity monitoring, as well as improvements to the healthcare system’s data security.
Savannah, Georgia-based St. Joseph’s/Candler is a 714-bed healthcare system that includes two hospitals and several other facilities.
“Despite repeated, explicit, detailed warnings as to the manner in which hackers were targeting hospitals’ IT systems and how to prevent such attacks, the defendant maintained an IT system vulnerable to attacks from those very same cybercriminals,” the complaint alleges.
It says the data breach was the direct result of St. Joseph’s/Candler’s failure to implement security protocols that were adequate and reasonable.
Additionally, despite concrete and specific instructions from federal agencies and cybersecurity experts, St. Joseph’s/Candler failed to implement reasonable and necessary measures to monitor its IT and data systems to detect cybercriminals’ intrusion into its network, the lawsuit alleges.
The healthcare provider says it “immediately” took steps to isolate and secure its systems, notify law enforcement authorities and launch an investigation with the assistance of cybersecurity firms.
St Joseph’s/Candler says its investigation determined that the incident resulted in an unauthorized party gaining access to the organization’s IT network between Dec. 18, 2020, and June 17, 2021.
“While in our IT network, the unauthorized party launched a ransomware attack that made files on our systems inaccessible,” the entity said in its statement.
Potentially compromised files contained patient names, addresses, dates of birth, Social Security numbers, driver’s license numbers, patient account numbers, billing account numbers, financial information, health insurance plan member IDs, medical record numbers, dates of service, provider names and treatment information, the statement says.
‘Coup de Grâce’ Attack
From the time the unauthorized access to St. Joseph’s/Candler’s IT network began in December 2020, cybercriminals were allowed months “to roam freely and undetected” in the entity’s network, putting individuals’ personally identifiable information and protected health information at risk for identity theft, fraud and other cybercrimes, the lawsuit alleges.
The suspicious activity detected on June 17 was the “coup de grâce” – or death blow – of the hackers’ six-month attack, the complaint alleges.
“They were holding the hospital system’s IT systems hostage, demanding an as-yet-unknown payment in order to release their hold on the system.”
The lawsuit alleges that all of St. Joseph’s/Candler’s IT systems went down at 4 a.m. on June 17, including its electronic medical records and VoIP phones.
It took more than two weeks for St. Joseph’s/Candler “to slowly come back online,” the lawsuit alleges.
The complaint alleges negligence, breach of contract, breach of fiduciary duty and violations of Georgia laws, including its unfair business practice laws, among other claims.
St. Joseph’s/Candler did not immediately respond to an Information Security Media Group request for comment on the lawsuit and its allegations.