Community Health Systems (CHS), which operates 206 hospitals in 29 states across the U.S., reported earlier this year that it suffered a data breach that exposed the personal information of 4.5 million patients. In a statement filed by the company with the Securities and Exchange Commission in August, the company said it believes the attack occurred in April and June and was carried out by an “Advanced Persistent Threat” group based in China. Although the data taken did not include credit card, medical or clinical information of patients, it did include their names, addresses, birthdates, phone numbers and Social Security numbers.
Last month, two law firms, Slack & Davis and The Branch Law Firm, filed a class action lawsuit in New Mexico against CHS, alleging that the healthcare company was negligent in failing to implement and follow basic security procedures. As a result, the lawsuit claims that affected patients face a “substantial increased risk of identity theft, if not actual identify theft,” and will have to spend a significant amount of time and money to protect themselves.
Some of the specific allegations in the lawsuit include:
- Defendants (CHS and its’ subsidiary hospitals in New Mexico) stored plaintiff’s sensitive information in an unprotected, unguarded, unsecured and/or otherwise unreasonably protected electronic and/or physical location.
- Defendants did not adequately encrypt, if at all, plaintiff’s sensitive information.
- Defendants did not provide adequate security measures to protect plaintiff’s sensitive information.
- Defendants have taken no action to promptly notify their patents that were affected by the breach.
- Defendants failure to notify its patients of this data breach in a reasonable time caused plaintiff to remain ignorant of the breach and therefore unable to take action to protect herself (Briana Brito, the plaintiff who represents the class) from harm.
Paula Knippa, an attorney with Slack & Davis, said that they have spoken with more than 100 other New Mexico residents who are members of the affected class and that they have also been contacted by patients who were treated at CHS facilities in 16 other states.
Although she couldn’t speak to the mechanics of how some of the other large data breaches that have come to light recently were carried out, Knippa said that in the case of CHS, they used a test server loaded with password information that would allow that test server to access the company’s entire database.
“They didn’t put in or install security features that would protect the test server from hackers and the reason that they didn’t do that is they thought: ‘This will never be connected to the Internet, it’s only a test server,’” explained Knippa. “What happened was it did get connected to Internet. Somebody at the front-end didn’t tell somebody at the back-end: ‘Hey, don’t use this server again or connect it to the larger system because it hasn’t been security-proofed.’ It allowed a bug that could have easily been defended against, the Heartbleed bug, to access the test server and expose 4.5 million peoples’ information to identify thieves.”
Knippa said that CHS has an obligation under the Health Insurance Portability and Accountability Act (HIPAA), as well as a patchwork of legislation by different states, to not only protect patient information but notify people as soon as possible if a breach is detected, which she says didn’t happen in this case.
“Obviously, if people aren’t aware, they can’t be put on alert to recognize fraudulent activity if their identity has been stolen,” said Knippa. “The kind of information that was stolen – names, address, Social Security number, driver’s license number – those numbers don’t change. You can change a password and protect yourself that way, but you can’t change your driver’s license or Social Security number, and this information is now in the hands of thieves who can use it years from now.”
The lawsuit seeks damages to help victims of the data breach pay for ongoing credit monitoring services and insurance in case their identities are stolen. Knippa said that this protection is going to have to last longer than a year because the information obtained by the thieves can be exploited for years. Additionally, Knippa said that there are also monetary damages associated with the stress and anxiety that come along with this type of theft that they will ask the court to consider.
Aside from providing monetary relief for affected patients, Knippa said she hopes this case will send a message to all organizations about the importance of safeguarding personal information that has been entrusted to their care.
“That is one of the purposes of a class action - to put the company on notice and educate the public and really apply public pressure on the company to improve their cybersecurity measures,” concluded Knippa. “From all of the literature I’ve been reading and reviewing, the healthcare industry is really deemed as a slacker in terms of its implementation of effective cybersecurity measures.”
Calls seeking comment about the lawsuit from CHS were not returned.
