A class action lawsuit has been filed West Virginia-based Mon Health following a data breach where an unauthorized third party had accessed its network for 11 days in December 2021. After discovering the actor’s activity on its network on December 30, 2021, the health system promptly conducted a forensic investigation to identify the nature of the actor’s access.
The forensic investigation concluded that the threat actors had gained access and obtained sensitive patient information including full names, birth dates, addresses, Social Security numbers, Medicare claim numbers, patient account numbers, Medicare claim numbers, patient account numbers, health insurance information, medical record numbers, date of service, provider names, claims information. and medical treatment information. On February 28, 2022, the health system notified the HHS’ Office for Civil Rights and all 492,861 patients of the data breach.
A lawsuit was subsequently filed in the Monongalia County Circuit Court in West Virginia against Monongolia Health Systems, and all of its associated hospitals including Monongalia County General Hospital Co., Stonewall Jackson Memorial Hospital Co., and Preston Memorial Hospital Corp. The lawsuit claims that the failure of Mon Health to install adequate cybersecurity measures and its noncompliance with the security requirements of the HIPAA Security Rule led to the data breach. It also claims negligence, contract violation, breach of confidence, and implied contract breach. Although the breach notification letters were delivered within the HIPAA Breach Notification Rule’s maximum deadline, the plaintiffs contend that they were late and did not provide sufficient information on the breach.
In incidents of data breaches, it is common for health organizations to offer complimentary credit monitoring and identity theft services to all affected individuals. However, Mon Health failed to do so. As a result, the plaintiffs contend that the responsibility to ensure the protection of their sensitive data is now on them. The plaintiffs contend that these were not offered and that it is now their responsibility to look into any abuse of their personal data. The plaintiffs assert that as a direct result of the data breach, they are immediately and continuously at risk of identity theft and fraud, and that they will continue to endure damages. The lawsuit calls for the implementation of 20 data security measures in order to better safeguard patient data and to prevent further breaches. It also requests for class certification, payment for out-of-pocket expenses, and relief.