CommonSpirit Health data breach, online shutdown affected VMFH patients. Now one is suing

Debbie Cockrell

The parent company of Virginia Mason Franciscan Health faces a proposed class-action lawsuit over a ransomware attack that disrupted appointments, procedures, electronic-record access and more in October at VMFH facilities.

A complaint was filed Dec. 29 in U.S. District Court for the Northern District of Illinois against Chicago-based CommonSpirit Health by Leeroy Perkins of Washington state.

The filing was first reported in Crain’s Chicago Business.

Perkins, a VMFH patient, received a data-breach notification informing him that his personally identifying information and protected health information “had been compromised in the data breach,” according to the filing, a copy of which was obtained by The News Tribune.

A representative for CommonSpirit Health told The News Tribune via email that “we’re not able to comment at this time,” in response to the lawsuit.

Patients and staff with the health system in early October lost access to the system’s online patient portal and electronic records. Appointments shifted to paper-based forms, and paper charts and canceled appointments took hold as offices and hospitals struggled to operate without digital data access.

CommonSpirit on Oct. 12 announced a ransomware attack was to blame. Its filing with the U.S. Department of Health breach portal said the breach impacted data for 623,774 patients.

An announcement in December from CommonSpirit said that the breach included patients in the Puget Sound area, and that its investigation showed “that the unauthorized third party gained access to certain files, including files that contained personal information.”

“The investigation determined that an unauthorized third party gained access to certain portions of CommonSpirit’s network between September 16, 2022 and October 3, 2022,” according to the company.

It added, “CommonSpirit Health has no evidence that any personal information has been misused as a result of the incident.”

The lawsuit seeks class-action status as well as damages, restitution and other forms of monetary relief, accusing CommonSpirit of “inadequate data security measures,” despite being “well aware that the (personal information) it collects is highly sensitive and of significant value to those who would use it for wrongful purposes.”

The complaint stated that “there is virtually no way to ensure that the exposed information has been fully recovered or obtained against future misuse. For this reason, plaintiff and class members will need to maintain these heightened measures for years, and possibly their entire lives as a result of defendant’s conduct.”

No further details were made available from Perkins’ legal team after multiple requests from The News Tribune.

Advertisement