First Lawsuit Filed in HCA Data Hack as New Questions EmergeMore Litigation Likely to Follow; Also, Was Data of UK Patients Breached?
Plaintiffs filed the first of what will likely be many more proposed class action lawsuits against HCA Healthcare just two days after the hospital chain publicly disclosed a hacking incident involving the posting of information for potentially 11 million patients on a dark web forum.
Meanwhile, the Nashville, Tennessee-based company has yet to publicly address some important circumstances of the breach - including whether the compromise involved a third-party storage vendor and whether any HCA patients outside the U.S. were affected.
HCA, which last year reported revenue of more than $60 billion, operates 182 hospitals and 2,300 other medical care facilities in 20 U.S. states - plus a hospital in the United Kingdom (see: HCA Says Up to 11M Patients Affected by Email Data Hack).
The lawsuit filed yesterday in a Tennessee federal court by two affected HCA U.S. patients, Gary Silvers and Richard Marous, alleges that HCA was negligent in failing to safeguard their personal identifiable and protected heath information from unauthorized access and disclosure.
"Plaintiffs' and class members' private information is of great value to hackers and cybercriminals, and the data stolen in the data breach has been used and will continue to be used in a variety of sordid ways for criminals to exploit plaintiffs and class members and to profit from their misfortune," the proposed class action complaint alleges.
The lawsuit, which seeks monetary damages and injunctive relief requiring HCA to strengthen its data security systems and monitoring practices, will undoubtedly be followed by many similar proposed class action lawsuits in the weeks and months to come.
"Given the number of persons affected, it is likely that separate class actions may be filed and ultimately consolidated," said regulatory attorney Rachel Rose, who is not involved in the HCA litigation.
Steven Teppler, a partner and chief cybersecurity legal officer at law firm Mandelbaum Barrett PC - also not involved in the HCA case - said that given how geographically widespread the victims are, "it’s likely that we'll see follow-on lawsuits, which makes it more likely that a motion will be made to convert this into a multidistrict litigation."
HCA reported the incident on Monday in a filing with the U.S. Securities and Exchange Commission, saying that based on the information known so far, HCA does not believe the incident will materially affect its business, operations or financial results.
HCA told the SEC that the incident, which involved a compromise to "the external storage location was exclusively used to automate the formatting of email messages," has not disrupted day-to-day operations or services to patients.
So far, HCA has not clarified what "external storage location" means in the context of who owns or manages the compromised system.
"External storage" could mean that the system compromised is owned and controlled by HCA but is located outside of its corporate headquarters or hospitals, Rose said. "Alternatively, it could mean that it is controlled by a third party."
If a third-party storage system was breached, that potentially means more defendants will be added to the class action litigation, Rose said.
"Additionally, if a third-party storage system was utilized, they would be a business associate under HIPAA. The Department of Health and Human Services' Office for Civil Rights will no doubt look into the business associate, as well as HCA as a covered entity," she said.
In an FAQ posted on its website, HCA includes a long list naming hundreds of its U.S. hospitals and physician clinics affected by the incident.
HCA did not list its U.K. facility, Lister Hospital in London, and the company did not immediately respond to Information Security Media Group's request for additional details about the breach, including whether patient data in the U.K. or elsewhere in Europe had potentially been compromised in the hack.
But if any HCA patient data in the U.K. was affected, the compromise potentially becomes more complicated from a regulatory perspective, legal experts say.
"It’s possible that the data protection authority in the U.K. - the Information Commissioner's Office - would commence an investigation," Teppler said.
"The U.K. ICO's website confirms that, since Brexit, the General Data Protection Regulation has been kept as U.K. law until June 2025. There might also be a possibility for a class-type action if allowable under U.K. law," he said.
Enforcement by European regulators also could be at stake for HCA. "If it is found that HCA had data in Ireland, for example, there still may be GDPR implications, and Ireland is aggressive in its enforcement," Rose said.
The geographic location of HCA's compromised external storage system and the residence of affected individuals might also come into play from an international regulatory standpoint, Teppler said.
"If we presume for the moment that the storage is cloud-based, it should be determined whether the U.K. health information could be considered stored in the U.K./EU, in the U.S. or elsewhere," he said.
"If the 'external storage' was not cloud-based, then the location of the storage would need to be ascertained at the outset. HCA will likely be subject to claims it violated U.K. GDPR, and maybe EU GDPR."
In any case, a few facts are certain involving the HCA hack and similar incidents, experts say. "Liability from data breaches is on the rise. The healthcare sector has historically been and remains a target of cybercriminals," Rose said.