HCA Healthcare hit with at least 4 class-action lawsuits days after disclosing massive data breach

It took less than a week for hospital chain HCA Healthcare to go from a multimillion-patient data breach to a slew of class-action lawsuits alleging negligence and seeking relief.

Two such cases were filed last Wednesday and another two on Friday, all in a Tennessee district court.

They follow Monday’s announcement that the 182-hospital for-profit disclosed that an external storage location used to automate email message formatting had been compromised. Data lists including up to 27 million rows of data potentially impacting 11 million patients were accessed and information ranging from patient names, emails, dates of birth and appointment locations—but not clinical information—was posted online, the system said.

The plaintiffs of one case, Gary Silvers and Richard Marous, both patients, wrote that they and other impacted patients “now face a lifetime risk of identity theft due to the nature of the information lost, and a diminishment in the value of their private data.”

Affected patients have also lost the time spent mitigating the breach’s consequences and face “emotional distress associated with the loss of control over their highly sensitive private information,” the plaintiffs wrote.

HCA, they wrote, “knew or should have known” that the private information collected is “highly sought after by criminal parties.” Security measures outlined in HCA’s data security incident report were “wholly inadequate” and allegedly did not comply with data security guidelines shared by the Federal Trade Commission or those outlined in the Health Insurance Portability and Accountability Act, plaintiffs wrote.

“Defendant’s failure to protect patients’ private information has harmed and will continue to harm millions of patients, causing plaintiffs to seek relief on a classwide basis,” they wrote.

Silvers and Marous’ complaint outlined one count of negligence, one count of negligence per se and one count of breach of implied contract. They requested that the court grant monetary damages as well as equitable and injunctive relief, the latter of which would include an order for HCA to encrypt “all data collected through the course of its business.”

The other three complaints filed last week followed similar lines of argument and prayers for relief. They also listed other charges of action related to, among others, invasion of privacy, unjust enrichment and breach of fiduciary duty.

HCA said in last week’s announcement that it reported the breach to law enforcement and retained third-party forensic and threat intelligence advisers. It disabled user access to the breached data storage location—a move plaintiffs said was insufficient—and plans to offer credit monitoring and identity protection services where appropriate, it said.

The healthcare sector saw roughly 295 breaches affecting over 39 million individuals during the first half of 2023, according to the Department of Health and Human Services' Office for Civil Rights. HCA’s incident stands as the largest healthcare breach of the year to date in terms of total number of individuals potentially affected.