June 15, 2023
Trinity Health, Mercy Health Network, and Mercy Medical Center – Clinton faces a class action lawsuit in the US District Court for Iowa’s Southern District. The case arises from a recent cyberattack and subsequent data breach that impacted approximately 21,000 patients.
As the legal battle unfolds, the plaintiffs seek accountability and compensation for the breach of records containing their personal and sensitive information. The cyberattack on Trinity Health sheds light on the growing concerns surrounding cybersecurity and the potential repercussions today’s healthcare organizations face in the wake of such incidents.
Table of Contents
Discovery of Cyberattack and Data Breach On Trinity Health
Trinity Health, a Livonia, Michigan-based healthcare organization, recently faced a significant cybersecurity incident. The incident occurred in March 2023 and involved a cyberattack that targeted their systems, specifically those containing sensitive patient data. After conducting a thorough forensic investigation, it was determined that unauthorized individuals had gained access to these systems on March 7, 2023. The breach continued until April 4, 2023, when appropriate security measures were put in place to safeguard the compromised systems.
During the breach, the attackers managed to access various personal and medical information belonging to affected individuals. This compromised data includes names, addresses, birth dates, Social Security numbers, diagnosis codes, treatment information, prescription details, as well as service and discharge records.
In response to the breach, Trinity Health is offering the affected individuals a year’s worth of free credit monitoring services. This strategy tries to help patients keep track of and secure their financial information by adding another layer of defense against identity theft and potential fraud.
Class Action Lawsuit Filed Against Trinity Health
The Trinity Health class action lawsuit was initiated on June 12, 2023, by plaintiff Jennifer Medenblik, asserting that the defendants neglected their duty to safeguard patients’ sensitive data and failed to monitor their systems for intrusions. As a consequence, hackers were able to breach the network, gaining access to the protected health information of 21,000 patients and remaining undetected within the systems for an entire month.
Upon discovering the breach, Trinity Health promptly informed the affected patients. However, the lawsuit contends that these notifications were insufficient and lacked the necessary support. Furthermore, it alleges that the defendants have failed to provide the affected patients with satisfactory assurances regarding the recovery or deletion of the compromised data. Additionally, the lawsuit emphasizes that adequate cybersecurity measures have not been implemented post-data breach to avert future security breaches.
The lawsuit titled Medenblik v. Trinity Health Corporation et al. includes serious allegations, including negligence, breach of contract, and of confidence. It asserts that the plaintiff and class members have endured and currently face an elevated, persistent threat of incurring measurable damages. The legal action aims to attain class-action status, request a trial by jury, secure compensation, and sufficient funds for the plaintiffs and class members to claim lifelong credit monitoring services and identity theft insurance.
Violations of the HIPAA Security Rule and Best Practices
The complaint stated Trinity Health’s multiple violations of the HIPAA Security Rule. It also asserts that the defendant disregarded the Federal Trade Commission’s (FTC) rules as well as the standards advised by the healthcare sector for protecting sensitive data.
As such, the allegations put forth in this legal action revolve around violations of the HIPAA Security Rule, a pivotal component for ensuring the confidentiality, integrity, and accessibility of protected health information (PHI). The HIPAA rule also obliges entities entrusted with PHI to implement suitable administrative, technical, and physical safeguards to prevent unauthorized access and disclosure.
Furthermore, the lawsuit asserts that the defendant has neglected to follow the healthcare sector’s best practices in securing delicate data. These best practices encompass a comprehensive array of measures, which may include the following:
- User access controls: Implementing stringent access controls, including multi-factor authentication and role-based user permissions, helps validate the identity of individuals or entities trying to access sensitive health data.
- High-level encryption: This involves using high-level encryption technology to maintain the confidentiality of health data, making them unreadable to unauthorized individuals or entities.
- Periodic security assessments: Carrying out regular security assessments to identify and address vulnerabilities in data systems.
- Regular HIPAA training: With training, organizations can educate employees about the latest updates and changes pertaining to HIPAA guidelines.
By drawing attention to these purported violations of HIPAA, industry best practices, and FTC guidelines, the lawsuit aims to underscore the significance of fortifying the protection of sensitive data and the potential ramifications of failing to do so. It serves as a startling reminder that organizations must prioritize the security and privacy of personal information, particularly in today’s interconnected and data-centric landscape.