Dive Brief:
- Ascension is staring down two proposed class-action lawsuits just one week after a cyberattack took systems offline across its 140-hospital portfolio, forcing the nonprofit system to divert ambulances and pause elective care.
- In complaints filed in the District Courts of Illinois and Texas plaintiffs allege Ascension acted negligently by failing to encrypt patient data and said the attack leaves them “at a heightened risk of identity theft for years to come.”
- Ascension has not said the attack compromised patient data. However, an investigation remains ongoing.
Dive Insight:
As cyberattacks against healthcare providers grow in frequency, so too have lawsuits filed by patients aiming to hold systems accountable for alleged damages, including possible violations of privacy.
Lawsuits can be filed before health systems have even ascertained whether patients’ private information was compromised.
Change Healthcare, for example, was still investigating the scope of a February cyberattack when it was hit with multiple class-action lawsuits. And last summer, HCA Healthcare was sued a week after an attack that impacted up to 11 million patient records.
Plaintiffs in the Illinois lawsuit claim the breach itself demonstrates negligence. They argue if Ascension had properly encrypted data, any data stolen by cyber criminal group Black Basta would be rendered useless.
However, the nonprofit provider has yet to confirm any compromised patient data.
“We are conducting a thorough investigation of the incident with the support of leading cybersecurity experts and law enforcement,” an Ascension spokesperson told Healthcare Dive Wednesday. “If we determine sensitive data was potentially exfiltrated or accessed, we will notify and support the affected individuals in accordance with all relevant regulatory and legal obligations.”
David Kessler, head of privacy, information governance and eDiscovery at law firm Norton Rose Fulbright, told Healthcare Dive that plaintiffs’ arguments that breaches automatically equated to negligence was the “antithesis to case law.”
“The understanding is that there is no such thing as perfect data security — these events are going to happen, that's the reality of our information age,” Kessler said. “The question is, did the data owner… take reasonable steps… to prevent the event?”
Still, despite questionable legal ground — including damages based on future harms, such as possible identity theft — Kessler said most breach cases end up settling out of court rather than through litigation.
While this may behoove companies in the short term, it leaves unanswered questions about what it means to have reasonable data security.
“I don't think there's been a lot of bright-line rules developed in the case law around what is reasonable security or data governance,” Kessler said. “And so until that settles out — which might take a very long time — there's gonna be a lot of opportunities to bring cases because it's very unclear if there's liability.”
Some regulators are taking a stab at answering that question both domestically and internationally, including the Data Protection Authority in Europe and the NIST Cybersecurity Framework.
However, Kessler said cybersecurity is developing at such a quick clip that guidance becomes outdated almost as soon as it is announced.
“Absent really strong regulatory or legislative action, we're always gonna be playing catch up,” he said.
