New Jersey Hospital Network Faces Lawsuit Over Ransomware Attack

A proposed class-action lawsuit has been filed against New Jersey's largest hospital health network over a ransomware attack that happened in December.

Threat actors infected the computer systems of Hackensack Meridian Health, causing a system-wide shutdown on December 2. The attack disrupted services at 17 urgent care centers, hospitals, and nursing homes operated by the network. 

News of the attack was leaked to the media on December 5. Eight days later, Hackensack confirmed that it had paid an undisclosed sum to retrieve files encrypted in the ransomware attack. 

Now, a proposed class-action lawsuit has been filed in a Newark district court by two plaintiffs seeking compensation, reimbursement of out-of-pocket expenses, statutory damages, and penalties. 

The plaintiffs are also seeking to secure injunctive relief that will require Hackensack Meridian Health to undergo annual data security audits, make improvements to its security systems, and provide three years of credit monitoring services to breach victims free of charge.

In the 45-page complaint, the plaintiffs allege that Hackensack Meridian Health failed to adequately protect patients' data. They accuse the healthcare provider of running its network in a “reckless manner” that left its computer systems vulnerable to cyber-attackers. 

The lawsuit further alleges that as a result of the attack, patients suffered major disruptions to their medical care for two days and were forced to seek alternative care and treatment.

An investigation conducted by Hackensack Meridian Health found no evidence that patient data had been stolen as a result of the ransomware attack. However, the plaintiffs allege that attackers stole their personal and protected health information and disclosed it to “other unknown thieves,” putting them at imminent risk of identity theft and fraud. 

The plaintiffs allege that Hackensack Meridian Health has failed to officially notify patients of the attack and has not reported the attack to the OCR, as required by the Health Insurance Portability and Accountability Act (HIPAA). Notice of the ransomware attack had not yet appeared on the breach portal run by the US Department of Health and Human Services Office for Civil Rights (OCR) at press time.

Hackensack Meridian Health, which is based in Edison, New Jersey, has more than 35,000 employees and generates around $6bn in annual revenue.

What’s Hot on Infosecurity Magazine?