Class Action Lawsuit Filed Against Memorial Health System Over August 2021 Cyberattack

Marietta Area Health Care Inc., also known as Memorial Health System, is confronting a class action lawsuit in relation to a cyberattack and data breach that Memorial Health System detected on August 14, 2021.

Based on the investigation, it was confirmed the attackers first obtained access to firm servers on or about July 10, 2021, and installed malware on its systems. Unauthorized access possibly continued until August 15, 2021.

The breach notification letters said that Memorial Health System uncovered on September 17, 2021, that the threat actor likely accessed or acquired information from its systems. The assessment of the affected systems was finished on November 1, 2021. The impacted people were informed on January 12, 2022, and were provided a 12-month no-cost membership to a credit monitoring service. The breach notice filed with the Maine attorney general’s office reveals the personal data of 216,478 people was possibly accessed by the threat actors.

The lawsuit against Marietta Area Health Care Inc. dba Memorial Health System was filed in the U./S. District Court of the Southern District of Ohio, Eastern Division on behalf of the plaintiff Kathleen Tucker and other persons affected by the security breach.

The lawsuit claims the plaintiff’s and class members’ personal records, such as names, dates of birth, Social Security Numbers, patient account numbers, medical record numbers, and medical data, was compromised and unlawfully viewed, and that the plaintiff and class members, sustained ascertainable losses such as the loss of the benefit of their bargain, out-of-pocket costs and the value of their time relatively incurred to remedy or mitigate the impact of the attack.”

The lawsuit states Memorial Health System was at fault for keeping the private data of patients in a careless manner by saving the files on systems that were susceptible to cyberattacks. The lawsuit states the defendant knew the risk of cyberattacks yet did not take the necessary steps to safeguard private information. Aside from the negligence issue, the lawsuit claims negligence per se, unjust enrichment, and breach of implied contract.

The plaintiff and class members claim they are now exposed to a more and imminent threat of fraud and identity theft and should closely keep track of their financial accounts to secure against identity theft now and in the future. Out-of-pocket expenditures were additionally incurred, which include the fee and time of arranging credit monitoring services, credit reports, and credit freezes.

The lawsuit seeks a jury trial and compensatory damages, punitive damages, treble damages, compensation of out-of-pocket expenses, and injunctive relief, which must include enhancements to Memorial Health System’s data security systems, future annual audits, and giving sufficient credit monitoring services to people impacted by the breach.

Attorney Joseph M. Lyon of The Lyon Firm, LLC submitted the lawsuit. The law company of Console & Associates, P.C. has likewise started an investigation into the data breach and cyberattack.

About the Author

Elizabeth Hernandez
Elizabeth Hernandez is the editor of HIPAA News. Elizabeth is an experienced journalist who has worked in the healthcare sector for several years. Her expertise is not limited to general healthcare reporting but extends to specialized areas of healthcare compliance and HIPAA compliance. Elizabeth's knowledge in these areas has made her a reliable source for information on the complexities of healthcare regulations. Elizabeth's contribution to the field extends to helping readers understand the importance of patient privacy and secure handling of health information. Elizabeth holds a postgraduate degree in journalism. You can follow Elizabeth on twitter at