Tenet Health sued after affiliate hack, health data theft affects 1.2 million
A lawsuit has been filed against Tenet Healthcare and its Texas subsidiary Baptist Health System after Tenet notified 1.2 million patients of a breach that their data was stolen during a system hack in March.
The patient who filed the lawsuit is seeking $1 million in monetary compensation for the class action and claims his individual damages award was less than $75,000.
The lawsuit, filed in Dallas County District Court, alleges the stolen data was not encrypted prior to the cyberattack. It should be noted that the Health Insurance Portability and Accountability Act does not require data encryption if the provider has a documented, alternative security mechanism in place.
As previously reported, Baptist Medical Center and Resolute Health Hospital first discovered a system breach on April 20, several weeks after the incident began. An attacker installed malicious code on certain network systems and caused the provider to block user access to the affected IT applications.
Investigation of the intrusion revealed that the attackers used their weeks-long access to remove data containing patient information from the network.
While the stolen data did not include driver’s licenses, credit and debit card information, or bank account information, it may have included social security numbers, demographic data, contact details, health insurance information, medical record numbers, benefit data, diagnoses and treatments, facility names, reason for visit, claim dates, billing codes, and other sensitive data.
The notice shows that the providers improved their monitoring capabilities and system security after the incident, which the lawsuit says should have happened before the hack.
“To the best of their knowledge and belief, BHS and its employees failed to properly monitor the computer network and IT systems containing the private information,” the lawsuit states. In addition, patient data was kept in a “cyber-attack-prone state.”
The lawsuit further alleges that the hospitals were aware that the security mechanisms of their systems were a “known risk” and therefore officials were “notified that the failure to take the necessary steps to protect the private To protect information from these risks, I left this property in a dangerous condition.”
Specifically, the lawsuit argues that patients were not notified of the violation in a timely manner. However, Baptist Health issued its notification within the requirements set forth in HIPAA: within 60 days of discovery and without undue delay.
As a result of the data theft and “negligent conduct,” affected patients argue they are at increased risk of identity theft since the data is now in the hands of attackers. The data could be used for a range of fraudulent activities, including opening accounts or taking out loans on behalf of victims. The data can also be used to target the victim with other phishing campaigns.
Although the lawsuit alleges that victims of the breach “were at increased and imminent risk of fraud and identity theft,” it does not provide specific details of the actual harm suffered by patients as a direct result of the incident.
In June 2021, the Supreme Court ruled that only people “specifically harmed” by a breach are entitled to seek damages against a company.
The lawsuit seeks damages, reimbursement of expenses and injunctive relief, which could include requirements for the hospital to improve the security of its systems, undergo annual audits and provide victims with adequate credit monitoring services.