News on CommonSpirit Health and BioPlus Specialty Pharmacy Services Data Breach Legal Cases

Federal Judge Dismisses CommonSpirit Health Data Breach Lawsuit Due to Not Enough Standing

A federal court judge decided to dismiss a class action lawsuit versus CommonSpririt Health regarding its 2022 data breach because of the failure of the plaintiff to prove that they sustained harm due to the data breach.

CommonSpirit Health encountered a ransomware attack on October 2, 2022, that affected over 100 CommonSpirit Health establishments throughout the United States. A threat actor acquired access to its network on September 16, 2022, and accessed those programs until October 3, 2022. According to the forensic investigation and document analysis, the protected health information (PHI) of over 623,000 patients was exposed. The compromised information involved complete names, addresses, medical companies, patient facility/account numbers, medical record numbers, dates of medical services, treatment/drug details, and other medical insurance data.

CommonSpririt Health faced multiple class action lawsuits concerning the cyberattack and data breach with identical claims. The lawsuits claimed that CommonSpirit Health was at fault due to the inability to use acceptable and proper safety measures to secure the privacy of the PHI it kept and deferred releasing breach notifications, which weren’t mailed until April 5, 2023.

One of those legal cases, Bonnie Maser v. CommonSpirit Health, claimed that the plaintiff endured injuries due to the breach, including greater than $3,000 in bank account fraud that ended in account closure. Because of the fraudulence, the plaintiff could not pay her rent, forfeited her housing, her credit score fell 60 points, and she professed to still experience harm, which included panic attacks as a result of worrying about the data breach. Maser’s lawsuit alleged breach of implied contract, negligence, unjust enrichment, and breach of the implied covenant of good faith and fair dealing.

CommonSpirit Health asserted that the plaintiff did not claim a tangible or impending injury to prove Article III standing, did not sufficiently state the minimum amount in dispute as per the Class Action Fairness Act, and did not express a claim upon which alleviation can be awarded. U.S. Magistrate Judge Suan Prose dismissed the legal action as a result of not enough Article III standing because the plaintiff did not show that the fraudulent expenses were quite trackable to the data breach.

This is CommonSpirit Health’s second lawsuit to be dismissed because of insufficient standing.  Two legal cases against CommonSpirit Health, one by Leeroy Perkins and another by Jose Antonio Koch individually and on behalf of his two minor children, were filed in Illinois and combined into a single lawsuit. District Court Judge Harry D. Leineweber dropped the lawsuit due to insufficient standing.

BioPlus Specialty Pharmacy Services Offers to Resolve a Data Breach Lawsuit

BioPlus Specialty Pharmacy Services has offered to settle a class action lawsuit that was filed because of a data breach in 2021 that compromised the records of around 350,000 individuals. Hackers accessed the BioPlus system for about 2 weeks from October to November 2021, and probably stole names, contact details, birth dates, Social Security numbers, medical insurance data, and prescription details. The Florida specialty pharmacy company alerted the impacted people in 30 days and gave them free credit monitoring services.


The lawsuit claimed that BioPlus should have averted the breach and might have done so if good cybersecurity steps had been enforced and industry-standard security recommendations had been observed. BioPlus did not agree with the accusations; nonetheless, a settlement was proposed to conclude the legal action. BioPlus hasn’t accepted responsibility for any wrongdoing linked to the attack and data breach.

As per the conditions of the offered settlement, class members can send claims of approximately $7,550 and will be refunded for out-of-pocket costs incurred because of the data breach. The highest claim granted is determined by whether Social Security numbers were breached. In case they were, class members are granted to get paid $50 and can claim around $7,500 for reported expenditures sustained on account of the data breach, including 3 hours of lost time valued at $25 per hour, and any unreimbursed costs to identity theft and scam.

Class members who didn’t have their Social Security numbers exposed are not allowed to claim a cash payment and claims will be restricted to $750, which includes 2 hours of lost time worth $25 an hour. Any person who wants to object to or be not included in the settlement should do so on or before June 18, 2024, and all claims must be filed on the same date. The settlement has gotten preliminary approval by the court. The date of the final settlement hearing is on August 22, 2024. Morgan & Morgan and Markovits, Stock, & DeMarco LLC lawyers represent the plaintiff and class.

About Christine Garcia 1303 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at