A Massachusetts hospital that suffered a cyber attack in December has been hit with a category motion lawsuit for its alleged failure to safe sufferers’ private info.
Anna Jaques Hospital in Newburyport skilled a big shutdown of its digital medical information techniques and networked computer systems on December 24, 2023. The assault brought on the hospital to redirect ambulances to different hospitals on Christmas day till service was restored on December 26.
The not-for-profit neighborhood hospital, a part of the Beth Israel Lahey Well being System, acknowledged on January 5 that the assault occurred.
In keeping with The Record revealed by Recorded Future Information, a ransomware gang referred to as Cash Message has publicly admitted it was behind the Anna Jaques assault. It didn’t say how a lot of a ransom it’s demanding.
The proposed class motion, introduced by Salisbury resident Gary Cabozzi, seeks damages and attorneys charges for the category of plaintiffs and court docket orders for the hospital to enhance its knowledge safety techniques. It alleges negligence and breach of implied contract and good religion by the hospital for failing to guard knowledge.
The grievance additionally criticizes the hospital for “concealing the existence and extent of the information breach for an unreasonable length of time” and allegedly failing to offer correct discover of the information breach. The hospital has nonetheless not notified its personal clientele in regards to the knowledge breach, the lawsuit claims.
On January 5, the hospital mentioned that if it finds that knowledge has been impacted by this incident, it’ll ship all required notifications in accordance with state and federal legal guidelines to sufferers, distributors, and impacted events.
Cabozzi complains that he solely discovered in regards to the cyber incident from native information stories.
In keeping with the lawsuit, whereas the entire variety of people who’ve had their knowledge uncovered because of the cyber assault is unknown right now, the quantity is estimated to be within the tens and even lots of of hundreds.
The information that would have been uncovered or stolen embrace private well being info comparable to medical information and historical past, take a look at outcomes, process descriptions, diagnoses, and private or household medical histories, the grievance says.
The swimsuit additionally claims personally identifiable info (PII) comparable to Social Safety numbers, passport numbers, driver’s license numbers, and monetary account numbers may have been breached.
A number of the knowledge is “extremely delicate and presents a excessive danger of identification theft or fraud” and it’s “seemingly” that among the info that has been uncovered has already been misused, the lawsuit claims.
In keeping with the Newburyport Day by day Information, which first reported the incident, the hospital said on January 2 — greater than every week after the occasion — that it was nonetheless working with exterior cybersecurity officers to revive info techniques affected by the assault.
The hospital spokesperson informed the native newspaper that the FBI is conducting its personal investigation.
The hospital, with greater than 1,000 staff, is the most important employer within the small coastal metropolis that’s north of Boston and near the New Hampshire border.
On account of a merger in 2019, Anna Jaques is clinically affiliated with Beth Israel Deaconess Medical Heart, a Boston educational medical heart and educating hospital of Harvard Medical College.
The swimsuit looking for class motion standing was filed in Massachusetts Superior Courtroom for Essex County by two attorneys, one from Connecticut, the opposite from Puerto Rico.
The Anna Jaques incident is the newest in a sequence of assaults on hospitals.
Final November, a ransomware attack prompted a Nashville-based healthcare chain that operates 30 hospitals in six states to divert sufferers to different hospitals and pause sure elective procedures. Ardent Well being Companies owns and operates 30 hospitals and greater than 200 care websites in Oklahoma, Texas, New Jersey, New Mexico, Idaho and Kansas.
In October, two New York hospitals that had been hit with a cyberattack needed to shut down their laptop techniques to analyze.
In August, hospitals and clinics in a number of states run by Prospect Medical Holdings had been pressured to close down some main care, emergency rooms and ambulance companies whereas recovering from a cyberattack. Prospect, which relies in California, has hospitals and clinics there and in Texas, Connecticut, Rhode Island and Pennsylvania.
Excited by Cyber?
Get computerized alerts for this subject.