Hospitals Are Hacked, Then Sued. Is It Fair?

Less than one month after Ascension confirmed a data breach, the health system is staring down six class action lawsuits.

Filed in courts from Texas to Tennessee, the separate complaints allege that Ascension failed to properly safeguard patients’ personal health information. The plaintiffs—all patients of the 140-hospital system, which operates in 19 states and the District of Columbia—seek monetary damages and injunctive and declaratory relief.

Read more: Protect Your Workplace With One of These Business VPNs

One of the lawsuits, filed May 13 by Ana Marie Turner, a former patient of Ascension Seton in Texas, alleges that the system “breach[ed] [an] implied covenant” between patient and provider. Turner is “very careful about sharing her sensitive private information,” and “would not have entrusted her private information to the defendant had she known of defendant’s lax data security policies,” according to court documents obtained by Newsweek.

Ascension’s case doesn’t stand alone. The number of class action lawsuits representing people who have had their data exfiltrated has “exploded” in the last five years, according to Gary Mason, a partner at the Washington, D.C.-based law firm Mason LLP. When Mason spoke to Newsweek by phone on June 7, his firm had more than 100 pending class action suits involving health care data breaches.

Read more: NordVPN Review

Health care organizations are the “most vulnerable” to cyberattacks due to the sensitivity of their stored data and their inability to halt operations while systems are down, Mason said. The industry also has the “least resources” to apply to data protections.

Health care cybersecurity providers agree that hospitals are financially under-resourced. But they tend to disagree that litigation is an appropriate course of action. Michael Hamilton, founder and chief information security officer of the American Hospital Association-preferred cybersecurity provider Critical Insight, told Newsweek that such lawsuits are often misplaced.

“We have to stop class action-ing hospitals after these events,” Hamilton said in an interview with Newsweek May 10. “There is a difference between the public harm done by these events as opposed to the private responsibility to make them not happen.”

Read more: NordVPN vs. ExpressVPN

Hospitals’ insufficient data protections are less about negligence and more about need, according to Hamilton, who frequently assists these organizations post-breach. They are rarely profitable enough to make sizable cybersecurity investments, and in the current sink-or-swim environment, multiple priorities are competing for limited resources.

James Trainor is the former lead of the FBI‘s cyber division and current senior vice president of the cyber solutions group at Aon, a risk management services provider also preferred by the American Hospital Association. He agreed that health systems’ financial challenges are stunting investments in cybersecurity, adding that technology is not a “core competency” of most hospitals.

“Cybersecurity is incredibly important to regulate under HIPAA, in terms of protecting the data,” Trainor said. “But there’s a lot of financial stress on hospitals, so the ability to devote more financial resources to cyber is easier said than done.”

Cyberattacks come with costs beyond those incurred in lawsuits and settlements, dealing hefty blows to these financially fragile organizations. In 2023, the average health care data breach cost $10.93 million, including losses from detection and escalation activities, post-breach responses and notifications, and lost business, according to IBM. Health care sports the highest cost of all industries studied, nearly doubling that of the second-most-expensive sector: finance.

Legal costs can add millions to the price. Logan Health recently agreed to a $4.3 million settlement with more than 213,000 patients and employees whose information was compromised during a 2021 cyberattack—the Montana-based system previously paid $4.2 million for a similar settlement in 2020. Last summer, Good Samaritan Hospital in San Jose, California, agreed to pay class members between $1,500 and $5,000 each for damages suffered in a 2020 data breach—and invested nearly $460,000 into data security improvements.

It is becoming more common for plaintiffs to receive cash payments from these types of lawsuits, according to Mason. In the past, typical settlements allowed for recovery of “actual damages,” like un-refunded credit card bills and banking fees resulting from a data breach. Now, patients can be paid for the time they spent taking proactive measures in the wake of a data breach—like monitoring bank statements and credit cards—at an average rate of $15 to $25 per hour.

The cash payments are “to compensate, generally, for being a victim, for the hassle, for the diminished value of your data, for failure of the institution to safeguard your data and give you the services that you believe you pay for,” Mason said. Meanwhile, free credit monitoring—often offered in initial incident notification letters—is losing its shine; it has become so common that many people already have it.

Typically, a hospital’s ability to pay out class members is discussed in mediation. All factors are considered as both parties move toward a resolution, including nonprofit status and service to low-income communities. Typically, payments come from the hospital’s insurance, according to Mason.

“We’re not in the business of trying to shut down hospitals when they’ve gone through something terrible,” Mason said.

So why go after the hospital that was attacked, and not after the entity that attacked it in the first place? The only way to get justice for patients is to pursue the organization that left a door open, not the burglar who went inside, according to Mason.

“These tend to be really criminal outfits,” Mason said. “They’re operated in Russia, Eastern Europe. That’s not reachable for us, that’s something the FBI deals with in terms of actually trying to trace down the bad actors.”

Law firms aren’t the only ones looking for holes in hospitals’ policies after a cyber event. Under HIPAA, health systems are required to report major data breaches involving protected health information to the U.S. Department of Health and Human Services (HHS)—prompting investigations and, sometimes, corrective action.

HHS’ resolution can come years after the initial incident transpired. Montefiore Medical Center in New York City reported a breach of unsecured protected health information in 2015 after one of its employees inappropriately accessed and sold 12,517 patients’ data. In November 2023, the hospital agreed to HHS’ terms, including a $4.75 million settlement, a corrective action plan and two years of federal monitoring.

“With health care systems across the country continuing to be targets for data breaches and malicious cyberattacks, we take our responsibility to protect patient information very seriously and remain committed to ensuring safety protocols and cybersecurity safeguards are always maintained to protect our patients’ privacy,” a spokesperson for Montefiore told Newsweek in an emailed statement.

But HHS’ methods have been called into question. In a February interview, Iliana Peters, a former official in the department’s Office of Civil Rights, suggested it focus investigative efforts on organizations that cover up major data breaches to avoid scrutiny.

“There’s a bit of a disconnect in terms of where we’re trying to go and the resources that are available—at least so far—particularly given that HHS focuses its enforcement on entities that are already reporting breaches,” Peters told GovInfoSecurity.

Both Aon’s Trainor and Critical Insight’s Hamilton agreed that the federal government should devote more aid to health systems to bolster their cybersecurity capabilities. President Joe Biden‘s administration has taken steps to do so, including the creation of a national cybersecurity strategy, and the allotment of $1.3 billion in his 2025 budget proposal to support hospitals’ cybersecurity efforts.

In the meantime, hospitals remain targets.

“These companies are victims of crime,” Trainor said. “Mistakes are going to be made by companies, it’s a complicated technical environment you inherit. Not to say folks shouldn’t be held accountable for bad decisions, but a little bit of empathy with these victims who have gone through these significant crimes is important, I think, to keep in focus.”

Mason is continuing to advocate for the other victims of the same crimes—the patient—despite corporate pushback on class action lawsuits.

“At the end of the day, if we’re able to send checks for clients for $50, $100 because they’re victims of this, they’re happy,” Mason said. “And that’s how the justice system works in terms of correcting wrongs, providing some sort of monetary compensation to people. We’re always happy to be able to do that.”