This audio is automatically generated. Please let us know if you have back.
Diving brief:
- Ascension considers two proposed class actions just one week later a cyberattack took systems offline across its portfolio of 140 hospitals, forcing the nonprofit system to divert ambulances and suspend elective care.
- In complaints filed in the district courts of Illinois And Texas The plaintiffs allege Ascension acted negligently by failing to encrypt patient data and said the attack puts them “at increased risk of identity theft for years to come.”
- Ascension did not say the attack compromised patient data. However, an investigation is still ongoing.
Dive overview:
Like cyberattacks on healthcare providers increase in frequencyThe same goes for lawsuits filed by patients seeking to hold systems responsible for alleged harms, including possible privacy violations.
Lawsuits can be filed before health systems have even determined whether patients' private information was compromised.
Change Healthcare, for example, was still investigating the extent of a February cyberattack when it was hit by several class action lawsuits. And last summer, HCA Healthcare was continued a week later an attack that affected up to 11 million patient records.
The plaintiffs in the Illinois lawsuit say the violation itself demonstrates negligence. They argue that if Ascension had properly encrypted the data, any data stolen by the Black Basta cybercriminal group would be rendered useless.
However, the non-profit provider has not yet confirmed the compromised patient data.
“We are conducting a thorough investigation into the incident with the support of leading cybersecurity experts and law enforcement,” an Ascension spokesperson told Healthcare Dive on Wednesday. “If we determine that sensitive data has potentially been exfiltrated or accessed, we will notify and support affected individuals in accordance with all relevant regulatory and legal obligations. »
David Kessler, head of privacy, information governance and e-discovery at law firm Norton Rose Fulbright, told Healthcare Dive that plaintiffs' arguments that violations automatically amount to negligence were “the antithesis of jurisprudence”.
“It's understood that there is no such thing as perfect data security: these events are going to happen, that's the reality of our information age,” Kessler said. “The question is: Did the data owner… take reasonable steps… to prevent the event?”
Yet despite questionable legal grounds — including damages based on future harm, such as possible identity theft — Kessler said most breach cases end up being settled out of court rather than through litigation.
While this may fall on businesses in the short term, it leaves unanswered questions about what it means to have reasonable data security.
“I don't think there have been a lot of clear rules developed in case law about what constitutes reasonable security or data governance,” Kessler said. “And so until this is resolved – which could take a very long time – there will be plenty of opportunities to bring charges because it's not clear whether there is any liability.”
Some regulators are trying to answer this question both domestically and internationally, including the European Data Protection Authority and the NIST Cybersecurity Framework.
However, Kessler said cybersecurity is growing at such a rapid rate that guidelines become outdated almost as soon as they are announced.
“In the absence of really strong regulatory or legislative measures, we're always going to be playing catch-up,” he said.