Mon Health is dealing with a class action lawsuit associated with a hacking incident that enabled unauthorized persons to acquire access to its system for 11 days in December 2021. According to Mon Health, it discovered the breach on December 30, 2021. Forensic investigation confirmed that hackers got access to its network from December 9 to December 19.
Mon Health reported the data security breach on February 28, 2022. The breach report stated that hackers accessed the personal data and protected health information (PHI) of 492,861 persons, which include data of patients, workers, vendors, and contractors. The following data were possibly viewed and stolen: names, addresses, dates of birth, Social Security numbers, patient account numbers, Medicare claim numbers, medical insurance data, medical record numbers, provider names, dates of service, claims details, and medical and clinical treatment data.
Clarksburg law firm, Morgan and Morgan, filed the lawsuit in Monongalia County Circuit Court in West Virginia naming Monongalia Health Systems Inc. along with affiliated hospitals, Stonewall Jackson Memorial Hospital Co., Monongalia County General Hospital Co., and Preston Memorial Hospital Corp as defendants, was filed by the . The lawsuit names Rachel Silbaugh, Robin Stripling, and Michael Stripling as plaintiffs, with all other individuals affected by the breach included as class members.
The lawsuit claims the data breach happened because Mon Health did not carry out proper cybersecurity measures and did not comply with the security requirements of the HIPAA Security Guideline, charging negligence, breach of confidence, breach of contract, and breach of implied contract. Although Mon Health sent the breach notification letters within the maximum period of time that the HIPAA Breach Notification Rule allows, the plaintiffs assert the notification letters were late and were woefully lacking in details regarding the breach.
Generally, whenever healthcare companies encounter a breach of the types of data that identity thieves are after, impacted persons are provided free credit monitoring services. The plaintiffs state that Mon Health did not provide these and that they were left alone to check for improper use of their personal data. The plaintiffs assert they are confronted with an instant and continuing risk of identity theft and fraudulence because of the data breach and will still experience problems, such as paying for the expense of continuing credit monitoring and identity theft protection services.
The lawsuit wants class certification, compensation for out-of-pocket costs, and equitable relief, stating 20 data security procedures that need to be put in place to better secure patient information and avoid other data breaches.