The Northern District of Alabama filed a lawsuit against DCH Health System in the Western Division of U.S. District Court because of a ransomware attack that happened on October 1, 2019.
The ransomware attack forced the 3-hospital health system to deactivate its systems for a 10-day period while rebuilding the systems and recovering the data. During that time, a few non-emergency appointments had to be canceled and patients encountered delays getting treatment and, in some instances, had to find medical services from other medical providers in the state.
The delay to treatment prompted the lawsuit. The lawsuit named four patients who alleged they suffered harm due to the systems shutdown, which disturbed their everyday lives and compelled them to forego medical care and treatment or get care and treatment from another facility during the ten days that DCH Health System’s systems were offline.
One plaintiff, who filed a case on behalf of her daughter stated that the ransomware attack caused delays in the emergency room and the staff told her that she needed to wait about 5 hours before her daughter can get treatment for an allergic reaction that had brought about severe eye swelling. If not willing to wait, she was informed to go to Birmingham to get medical treatment or go to Walgreens. The patient remarks that because of the long delay in getting treatment, the puffiness only subsided after 3 days.
One patient who stayed at the hospital after a surgical procedure mentioned that because her medical records were inaccessible, she was unable to get her prescribed medicines for the duration of her stay. An emergency room patient had x-rays taken several days prior to the attack, but her orthopedic treatment was deferred because of the attack. The lawsuit also claims the potential compromise of the plaintiffs’ protected health information (PHI) because of the attack.
The plaintiffs claim that DCH Health System broke the HIPAA and state laws. The failure to employ proper cybersecurity measures to protect its systems and data were the result of negligence. The lawsuit also alleges a violation of privacy, breach of contract, and breach of fiduciary duty.