WA family says private data exposed in ransomware attack, sues national health system
A second proposed class-action lawsuit has been filed against the parent company of Virginia Mason Franciscan Health following last fall’s data breach.
The latest suit was filed Jan. 13 in U.S. District Court for the Northern District of Illinois against Chicago-based CommonSpirit Health.
The case involves Jose Antonio Koch and his two children, not identified, who were patients at St. Michael Medical Center in Silverdale, Washington.
On Dec. 1, CommonSpirit Health notified the family that “its computer systems had been accessed and plaintiffs’ private Information had been involved in the data breach,” according to the filing.
The lawsuit contends, “For more than two weeks, between September 16, 2022, and October 3, 2022, CommonSpirit lost control of the highly sensitive private information” to an unauthorized third party in a ransomware attack.
“CommonSpirit has not been forthcoming about the data breach, which affected at least 623,774 individuals, at least 7 hospitals and potentially 300 medical care sites managed by defendant,” the filing states.
Chad Burns, media representative for CommonSpirit Health, told The News Tribune on Friday that the health care entity was “not able to comment on the suit at this time.”
CommonSpirit Health and in turn, VMFH, issued statements in October regarding the breach, which affected electronic records access for VMFH staff and patients, including a temporary shutdown of the MyChart patient portal.
The loss of access to electronic records in the health system led to widespread disruptions, including canceled appointments, paper charting and complications for some patients getting prescriptions filled.
St. Michael, at the same time, was experiencing serious staff shortages in its emergency department, compounding the electronic records crisis.
CommonSpirit Health in December said it had “no evidence that any personal information has been misused” as a result of the breach.
The Koch family seeks class-action status for the case, along with “not less than seven years of credit monitoring services for plaintiffs and class members.” The suit seeks “an award of actual damages, compensatory damages, statutory damages and statutory penalties in an amount to be determined and as allowable by law,” along with an award of punitive damages and costs of attorney fees, among other actions.
A previous lawsuit also seeking class-action status over the data breach was filed in late December in the same Illinois court against CommonSpirit Health by Leeroy Perkins, also a VMFH patient in Washington state.
