Class Action Lawsuit Filed Against CommonSpirit Health Because of Ransomware Attack and Data Breach

The health system CommonSpirit Health based in Chicago, IL is dealing with a class action lawsuit due to a ransomware attack in October 2022. Malicious actors accessed its IT network on September 16, 2022, and used ransomware on October 2, 2022. The attack resulted in the deactivation of its electronic medical record system and considerably disrupted operations for a couple of weeks. The catholic health system even had to call off a lot of consultations. The forensic investigation confirmed the potential compromise of the protected health information (PHI) of Virginia Mason Franciscan Health patients during the attack. Virginia Mason Franciscan Health manages St. Anne Hospital, St. Anthony Hospital, St. Elizabeth Hospital, St. Clare Hospital, St. Joseph Hospital, St. Michael Medical Center, and St. Francis Hospital. CommonSpirit Health stated the breached data only included names, telephone numbers, addresses, birth dates, and unique ID numbers. The data breach report submitted to the HHS’ Office for Civil Rights indicated that 623,774 individuals were affected.

At the end of December, legal action was submitted in the District Court for the Northern District of Illinois on behalf of Leeroy Perkins, a patient of Virginia Mason Franciscan Health, as well as other likewise impacted patients. The lawsuit claims CommonSpirit Health failed to use and follow standard cybersecurity processes and industry cybersecurity guidelines thereby allowing unauthorized persons to acquire access to patients’ sensitive information, putting impacted patients in danger of identity theft and fraud.

Perkins states that he had to spend time checking his accounts and altering passwords, and currently faces an elevated risk of identity theft and fraud due to the information breach. He additionally claims there will be costs on payments for identity theft protection and credit monitoring for years, and he is likely to have a lower credit score. The lawsuit wants class-action status, compensation over $5 million, and injunctive relief, which includes CommonSpirit Health using stronger cybersecurity procedures to secure patient information.

Filing of lawsuits against healthcare companies that have encountered ransomware and other cyberattacks is common nowadays, particularly when data breaches impact thousands of patients; nevertheless, to ensure the success of lawsuits, the plaintiffs need to prove they were harmed because of a data breach. Lawsuits frequently fail because they are based only on an increased threat of identity theft and fraud.

In 2021, a Delaware Superior Court judge dismissed a lawsuit against Brandywine Urology Consultants when the plaintiffs could not present enough proof that they were hurt by the breach. A plaintiff claiming that it is going to suffer potential injuries due to a defendant’s presumably inappropriate conduct should prove that such injuries are undoubtedly impending, and should show a possibility that the damage will be redressed by a good decision, stated the Honorable Mary M. Johnston in the decision dropping the case. The plaintiffs claimed to have sustained costs because of the breach, however, the judge decided that expenditures suffered based on a speculative risk are not enough to confer standing.

About Christine Garcia 1299 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at