Mon Health sued over data breach

Erin Cleavenger, The Dominion Post, Morgantown, W.Va.
·3 min read

Sep. 24—A December 2021 data breach is the topic of a lawsuit filed this week in Monongalia County Circuit Court.

It names Monongalia Health Systems Inc. (Mon Health) and affiliated hospitals, Monongalia County General Hospital Co., Stonewall Jackson Memorial Hospital Co. and Preston Memorial Hospital Corp. as defendants.

According to the lawsuit, on Feb. 28, Mon Health announced the security incident that compromised the protected health information (PHI) of at least 492, 861 individuals. The system determined that unauthorized parties accessed its IT network between Dec. 8-19, 2021 — when the system was alerted to unusual activity.

On Dec. 30, 2021, Mon Health determined that the data breach resulted in unauthorized access to information pertaining to its patients, providers, employees and contractors, the suit said.

An investigation into the breach found the unauthorized third party had access to sensitive patient information, including "names, addresses, dates of birth, Social Security numbers, Medicare health insurance claim numbers, patient account numbers, health insurance plan member ID numbers, medical record numbers, dates of service, provider names, claims information, medical and clinical treatment information and patient status, " the lawsuit states.

The plaintiffs, Rachel Silbaugh, Robin Stripling and Michael Stripling, claim their information and that of over 492, 000 potential class members was disclosed without authorization to an unknown third party as a result of the data breach and allege claims for negligence, breach of contract, breach of implied contract and breach of confidence.

The plaintiffs claim that as a result of Mon Health's "failure to implement and follow basic security procedures, " their information is now in the hands of criminals and class members now and forever will face an increased risk of identity theft.

The lawsuit also claims Mon Health's data breach resulted from insufficiencies that indicate the health care system failed to comply with safeguards mandated by HIPAA (Health Insurance Portability and Accountability Act).

According to the plaintiffs' claims, Mon Health began mailing letters to those whose information had been compromised on Feb. 28 — nearly two months after the investigation concluded.

"The notice letters plaintiffs and class members received were untimely and woefully deficient, " the suit states, "failing to provide basic details concerning the data breach."

Mon Health's delay in identifying and reporting the breach deprived plaintiffs and class members of the ability to promptly mitigate potential adverse consequences from the data breach, the lawsuit claims.

The complaint says Mon Health also warned plaintiffs and class members to watch financial account statements for unauthorized activity, but had not offered credit monitoring or identity theft protection services — payment card data was not even listed as part of the sensitive information accessed during the breach.

By taking no responsibility for its actions and inactions, the plaintiffs say Mon Health has placed the burden of the data breach on them by recommending they review healthcare and health insurance statements for fraudulent activity.

As a result of Mon Health's failure to prevent the breach, the plaintiffs and class claim they have suffered and will continue to suffer damages, including actual identity theft, delays in filing taxes, loss of control of their PHI, costs associated with the prevention, detection, recovery and remediation from identity theft or fraud, and others.

When asked for comment on the allegations, Mon Health Systems provided The Dominion Post with the following statement: "The security of patient and employee data is a top priority for Mon Health System and its affiliated hospitals. Due to ongoing litigation, we are unable to comment further at this time."

The plaintiffs are asking the court mainly for equitable relief requiring Mon Health to implement 20 specific data security practices outlined in the lawsuit and "appropriate cyber security methods and policies " for PHI education, collection and protection.

The lawsuit also asks the court for an order to certify the class and appoint the plaintiffs — Silbaugh, Stripling and Stripling, and attorney Mark E. Troy, of Morgan and Morgan in Clarksburg, as the class representatives.