A Washington state resident has initiated a major lawsuit in a federal court in the state of
Illinois. The complaint, made by Mr Leeroy Perkins, alleges that a Chicago-based healthcare
system neglected to utilize essential data security procedures to keep patient health
information secure. The organization in question is CommonSpirit Health, a large-scale
Chicago based hospital operator that oversees 140 hospitals across twenty-one states in the
United States. The organization places emphasis on individuals who are considered
vulnerable.
CommonSpirit uncovered alarming activity on its IT network at the beginning of October
last year. The organization promptly announced a security incident, and soon after
established that ransomware was present. The ransomware was found to be the result of an
unauthorized third party, who had the ability to access specific files, including those
containing personal data. CommonSpirit took action to secure their network, including the
deliberate deactivation of several of their systems, rendering them offline. Following this, an
investigation with the aid of cybersecurity experts commenced. Commonwealth
commented on the incident in a press release, stating the following:
“Upon discovering the ransomware attack, CommonSpirit quickly mobilized to protect its
systems, contain the incident, begin an investigation, and maintain continuity of care. In addition, CommonSpirit notified law enforcement and is supporting their ongoing
investigation. Once secured, systems were returned to the network with additional security
and monitoring tools.”
The ransomware attack targeted the key information of patients, and many personal details
were exposed, including:
name of patient
home address of patient
telephone number
date of birth
unique patient ID used by CommonSpirit
The federal complaint requested both declaratory and injunctive relief, in addition to a
class-action status, a payment for damages incurred, and restitution. Perkins was a patient
at Virginia Mason Franciscan Health, a facility that falls under the CommonSpirit health
system. Perkins is currently represented by Lynch Carpenter, a law firm based in Pittsburgh,
Pennsylvania. The lawsuit against CommonSpirit also alleges a delayed notification of
victims whose data had been compromised. In the filing, it is stated that the unauthorized
access was discovered in early October, yet the defendant did not begin notifying those
affected until two months following the discovery. This delay in communication is cited as a
violation of the federal Health Insurance Portability and Accountability Act (HIPAA).
According to the suit, the affiliates of CommonSpirit Health have also encountered issues
within their everyday operations. These problems involve difficulty in the creation of patient
appointments and inappropriate drug dosages prescribed by clinicians’ problems. These
issues are said to have disrupted the entire network, significantly disrupting both patients
and employees.
Ransomware attacks are becoming an increasing worry in the health IT industry, as
organizations continue to digitalize their systems in which data is stored. In new research
conducted by Verizon, it was found that the rate of ransomware breaches increased by
approximately thirteen percent in 2022, a figure that eclipsed the previous five years
combined.
