HCA data breach class action lawsuit may include 11 million; Mission patients notified

Mitchell Black, Asheville Citizen Times
·4 min read

ASHEVILLE – HCA Healthcare’s recent data breach, disclosed in a July 10 news release, brought an onslaught of litigation against the for-profit, publicly traded corporation. There have been at least 23 lawsuits filed in relation to the data breach since the hack became public. That litigation has been consolidated into one legal filing, according to Aug. 23 and 25 orders from United States District Judge for the Middle District of Tennessee, William L. Campbell.

HCA bought the Mission Health system in 2019. According to an HCA update on the breach posted Aug. 14, each of the six hospitals in the Mission system were impacted by the security incident.

The lead plaintiffs in the class action suit are Florida residents Gary Silvers and Richard Marous, who each were patients of Florida HCA hospitals.

Attorneys at two Florida-based firms are leading the legal charge. They were the first to file claims related to the data breach, submitting their lawsuit July 12. They are suing HCA for two different forms of negligence and implied breach of contract.

Mission Hospital in Asheville was acquired by HCA in 2019.
Mission Hospital in Asheville was acquired by HCA in 2019.

The complaint alleges that HCA owed its patients a “duty of care” to protect their data, but failed because it did not use “reasonable measures to protect class members’ private information.” It specifically cites HCA for failing to use “adequate security measures,” adequately monitor the security of its network and systems and allowing unauthorized access to private information. The legal filing also notes that patients had an expectation that HCA would safeguard their information and would not have entrusted the company with their information if they knew it would be vulnerable.

According to the complaint, HCA patients subject to the breach have suffered injury because their privacy was invaded and their information is at risk, among other reasons.

The attorneys asked the court to certify their proposed class. They are seeking to represent the roughly 11 million people notified by HCA of the data breach. Their requests for relief include pleas for HCA to secure patient data more robustly, as well as awarding damages.

Jeff Ostrow, an attorney for the plaintiffs, told the Citizen Times Aug. 28 that patients impacted by the data breach and wish to not join the class can reach out to him and request their removal, otherwise they will automatically be part of the class.

“A lot of people’s information may have been hacked, but that doesn’t mean that something has happened to it, or will happen to it,” Ostrow said. “People need to be observant of their credit reports.”

Plaintiffs filed their motion to consolidate the cases July 31. HCA responded Aug. 14 saying that it did not oppose the motion. Campbell ultimately gave the green light.

Mission Hospital in Asheville
Mission Hospital in Asheville

HCA announced in an Aug. 14 update that the company would send out letters to patients affected by the breach. The update noted that patients would be receiving updates on a state-by-state basis. Asheville residents have started receiving letters from HCA. Mission Hospital spokesperson Nancy Lindell referred the Citizen Times to HCA’s published online materials upon request for comment.

Ostrow noted that it is not exactly clear what information was breached or disclosed in the hack. HCA has maintained in news releases and updates that none of the disclosed information included was clinical, or sensitive, like passwords, government-issued ID numbers, or social security numbers.

More: COVID-19 at eight-month high in Buncombe County, but tests are hard to find

More: Mission, pre-HCA, among 5 hospitals responsible for 96% of NC medical debt lawsuits

More: HCA's $15.9 billion in 2nd quarter revenue: What does that mean for Asheville's Mission?

One of the letters obtained by the Citizen Times dated Aug. 21 indicates that HCA learned about the breach July 5 and that “preliminary investigation suggests the information was obtained by an unauthorized party in late June.” The letter also notes that the facilities where the theft occurred automated the formatting of email messages, like reminders about scheduling an appointment.

The company has established a toll-free call center for individuals with questions about the breach. It is also providing a complimentary credit monitoring and identity protection service for two years. Information about enrolling in the program is included in the letter and can be found at https://app.idx.us/account-creation/protect. The deadline to enroll is Nov. 21.

According to Campbell’s order, the plaintiffs have until Sep. 2 to file a motion with their leadership structure. The plaintiffs must file a complaint with the consolidated cases by Oct. 7. HCA must respond by Nov. 21.

Mitchell Black covers Buncombe County and healthcare for the Citizen Times. Email him at mblack@citizentimes.com or follow him on Twitter @MitchABlack. Please help support local journalism with a subscription to the Citizen Times.

This article originally appeared on Asheville Citizen Times: HCA data breach class action lawsuit may represent 11 million patients