The Northern District of Alabama filed legal action against DCH Health System in the Western Division of U.S. District Court with regards to a ransomware attack that occurred on October 1, 2019.
The ransomware attack compelled the 3-hospital health system to disable its systems for 10 days while reestablishing the systems and retrieving the information. At that time, a number of non-emergency consultations needed to be postponed and patients suffered delays acquiring treatment and, in certain cases, had to get medical services from other healthcare companies in the state.
The treatment delay caused the lawsuit. The lawsuit listed four patients who claimed they sustained hurt because of the systems shutdown, which interrupted their day-to-day lives and forced them to postpone health care and treatment or find care and treatment from alternate providers during the 10 days when DCH Health System’s networks were deactivated.
One plaintiff, who submitted a lawsuit for her daughter explained that the ransomware attack brought about delays in the emergency room and the personnel advised her that she had to wait approximately 5 hours before her daughter could receive remedy for an allergic response that had resulted in serious eye inflammation. If not able to wait, she was advised to travel to Birmingham to obtain health treatment or stop by Walgreens. The patient states that due to the long delay in obtaining treatment, the inflammation only went away on the third day.
One patient who remained at the hospital after a surgical treatment stated that since her health records were unavailable, she cannot get her prescribed drugs for the period of her stay. An ER patient had x-rays taken a couple of days prior to the attack, but her orthopedic treatment was postponed due to the attack. The lawsuit likewise states the possible exposure of the plaintiffs’ protected health information (PHI) due to the attack.
The plaintiffs state that DCH Health System violated the HIPAA and state regulations. The inability to execute suitable cybersecurity controls to secure its systems and data was because of negligence. The suit likewise claims privacy violation, breach of fiduciary duty and breach of contract.