CommonSpirit Health’s Second Class Action Lawsuit Due to its 2022 Ransomware Attack

CommonSpirit Health is facing one more lawsuit because of a ransomware attack and data security breach in 2022 that states the nation’s biggest catholic health system did not use acceptable and proper safety measures to avoid unauthorized access to sensitive patient information.

CommonSpirit Health reported at the beginning of October that it encountered a cyberattack that made its IT systems inaccessible. In December, the provider confirmed that the people responsible for the ransomware attack got access to some parts of its system between September 16 and October 3, 2022. The attackers potentially accessed or acquired the protected health information (PHI) of 623,774 individuals which include names, contact details, dates of birth, and internal patient identifiers.

On January 13, 2022, the most recent lawsuit was submitted in the U.S. District Court for the Northern District of Illinois by plaintiff Jose Antonio Koch, his two young children (John and James Doe), and other likewise impacted persons. Koch and his kids got health care services at St. Michael Medical Center located in Silverdale, WA. The hospital is a CommonSpirit Health member hospital managed by Virginia Mason Franciscan Health, which was impacted by the cyberattack.

CommonSpirit Health gave constant updates on its web page concerning the cyberattack and data breach. Patients were informed in December when the scope of the breach was confirmed, roughly 2.5 months after the breach happened and two months after its discovery. The lawsuit claims CommonSpirit Health failed to implement sufficient and acceptable measures to make sure its data systems were shielded against unauthorized infiltrations, and that CommonSpirit wasn’t forthcoming regarding the security incident. The lawsuit additionally indicates the actual number of people impacted might be a lot higher, possibly up to 20 million. It also questions the time frame for CommonSpirit Health to identify the data breach, which began on September 16, 2022, yet wasn’t noticed until October 2, 2022.

The lawsuit claims the plaintiffs and class members were subjected to an increased and impending risk of fraudulence and identity theft, and now bear the price of credit monitoring services, credit reports, credit freezes, and other security measures, at the same time spending time to monitor their accounts, alter passwords, and have other options to safeguard their identities.

The lawsuit claims negligence, unjust enrichment, breach of implied contract, and negligence per se, and wants class-action status, a minimum of 7 years of free credit monitoring services, and an award of actual damages, statutory damages, compensatory damages, and statutory penalties, when confirmed and permitted by law, and an award of punitive damages plus attorneys’ charges.

A former lawsuit was submitted in the U.S. District Court for the Northern District of Illinois last December 29, 2022, by Washington citizen, Leeroy Perkins, which had the same allegations that industry-standard cybersecurity requirements were not implemented. That legal action wants damages over $5 million plus injunctive relief, which consists of the need for CommonSpirit Health to carry out tougher data security options to avoid other data breaches.

About Christine Garcia 1299 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at