Trinity Health hit with class action alleging 'inadequate safeguarding' to blame for March data breach

A patient filed a class-action lawsuit this week against Trinity Health seeking relief after a data breach at the Catholic system compromised the protected information of an estimated 21,000 patients.

Filed Monday in the U.S. District Court for the Southern District of Iowa, the complaint centers on a data breach that occurred between March 7 and April 4. Also listed as defendants are Mercy Health Network and Mercy Medical Center – Clinton, which operate under Trinity.

Des Moines, Iowa-based Trinity told affected patients in early June notice letters that it became aware of the breach on April 4 and that an investigation “revealed that an unauthorized party had access to certain files that contained sensitive patient information,” plaintiff Jennifer Medenblik wrote in the complaint.

The accessed data included patients’ Social Security numbers and other protected health information such as names, addresses, birth dates and care information, according to the notice cited in the complaint.

“There has been no assurance offered by Defendant that all personal data or copies of data have been recovered or destroyed, or that Defendant has adequately enhanced its data security practices sufficient to avoid a similar breach of its network in the future,” Medenblik wrote in the complaint. “Therefore, Plaintiff and Class Members have suffered and are at an imminent, immediate and continuing increased risk of suffering, ascertainable losses.”

The plaintiff blamed Trinity’s “inadequate safeguarding” of the private information for the leak, writing that the organization “knew or should have known” that patients’ records would be the target of a cyberattack. Specifically, Medenblik alleged that Trinity failed to comply with HIPAA, Federal Trade Commission guidelines and industry standards for protecting sensitive patient data.

She also wrote that had the nonprofit “properly monitored its networks, it would have discovered the data breach sooner,” and critiqued the system’s “inadequate notice” to patients that offered little support outside of limited, opt-in credit monitoring.

Medenblik’s complaint listed eight counts including negligence, breach of contract and breach of confidence. She is seeking from Trinity appropriate monetary relief as well as “funds for lifetime credit monitoring and identity theft insurance” for herself and other class members.

Fierce Healthcare has reached out to Trinity for comment on the filing.

Earlier this year, another system within the Catholic giant, Trinity Health Of New England, alerted some of its patients of a December data breach that compromised personal identifying information, payment information and care details. As of early March, the system said that its review of the incident showed no evidence that the information was misused and that “the likelihood of any misuse is low.”