Massachusetts Hospital Faces Class Action Over Christmas Cyber Attack
A Massachusetts hospital that suffered a cyber attack in December has been hit with a class action lawsuit for its alleged failure to secure patients’ personal information.
Anna Jaques Hospital in Newburyport experienced a significant shutdown of its electronic medical records systems and networked computers on December 24, 2023. The attack caused the hospital to redirect ambulances to other hospitals on Christmas day until service was restored on December 26.
The not-for-profit community hospital, part of the Beth Israel Lahey Health System, acknowledged on January 5 that the attack happened.
According to The Record published by Recorded Future News, a ransomware gang called Money Message has publicly admitted it was behind the Anna Jaques attack. It did not say how much of a ransom it is demanding.
The proposed class action, brought by Salisbury resident Gary Cabozzi, alleges negligence and breach of implied contract and good faith by the hospital for failing to protect data. It seeks $5.4 million, or $200 each, in damages for an assumed class of 27,000 plaintiffs. However, according to the lawsuit, the actual number of individuals who have had their data exposed is unknown at this time and could be many more given the size of the hospital.
The complaint also seeks court orders for the hospital to improve its data security systems.
The complaint criticizes the hospital for “concealing the existence and extent of the data breach for an unreasonable duration of time” and allegedly failing to provide accurate notice of the data breach. The hospital has still not notified its own clientele about the data breach, the lawsuit claims.
On January 5, the hospital said that if it finds that data has been impacted by this incident, it will send all required notifications in accordance with state and federal laws to patients, vendors, and impacted parties.
Cabozzi complains that he only learned about the cyber incident from local news reports.
Unknown Number
The data that could have been exposed or stolen include personal health information such as medical records and history, test results, procedure descriptions, diagnoses, and personal or family medical histories, the complaint says.
The suit also claims personally identifiable information (PII) such as Social Security numbers, passport numbers, driver’s license numbers, and financial account numbers could have been breached.
Some of the data is “highly sensitive and presents a high risk of identity theft or fraud” and it is “likely” that some of the information that has been exposed has already been misused, the lawsuit claims.
According to the Newburyport Daily News, which first reported the incident, the hospital said on January 2 — more than a week after the event — that it was still working with external cybersecurity officials to restore information systems affected by the attack.
The hospital spokesperson told the local newspaper that the FBI is conducting its own investigation.
The hospital, with more than 1,000 employees, is the largest employer in the small coastal city that is north of Boston and close to the New Hampshire border.
As a result of a merger in 2019, Anna Jaques is clinically affiliated with Beth Israel Deaconess Medical Center, a Boston academic medical center and teaching hospital of Harvard Medical School.
The suit seeking class action status was filed in Massachusetts Superior Court for Essex County by two lawyers, one from Connecticut, the other from Puerto Rico.
Hospital Attacks
The Anna Jaques incident is the latest in a series of attacks on hospitals.
Last November, a ransomware attack prompted a Nashville-based healthcare chain that operates 30 hospitals in six states to divert patients to other hospitals and pause certain elective procedures. Ardent Health Services owns and operates 30 hospitals and more than 200 care sites in Oklahoma, Texas, New Jersey, New Mexico, Idaho and Kansas.
In October, two New York hospitals that were hit with a cyberattack had to shut down their computer systems to investigate.
In August, hospitals and clinics in several states run by Prospect Medical Holdings were forced to shut down some primary care, emergency rooms and ambulance services while recovering from a cyberattack. Prospect, which is based in California, has hospitals and clinics there and in Texas, Connecticut, Rhode Island and Pennsylvania.