Alabama Health System Reeling After Ransomware Attack

Alabama’s DCH Health System is facing a federal lawsuit filed by some former patients who allege it was negligent in discovering and responding to a ransomware attack on its computer system. In addition to negligence, the complaint accuses DCH of invasion of privacy, breach of contract and breach of fiduciary duty, among other things. The plaintiffs seek relief ranging from an injunction prohibiting DCH from misusing or disclosing private patient information to payment for credit monitoring services for three years.

On October 1, 2019, DCH discovered that three of its hospitals had fallen victim to a ransomware attack that left them unable to access their electronic files. DCH paid an undisclosed ransom to the hackers in order to unlock its computer system to regain access. The ransomware attack exposed the confidential medical and personal information of roughly 32,000 patients and required DCH to divert non-emergency patients to other hospitals for over a week.

The plaintiffs allege that the hackers disclosed their information to other third parties, causing the plaintiffs to incur certain expenses as they attempted to prevent unauthorized use of their personal information. The plaintiffs also alleged that the ransomware attack disrupted their medical care: One patient claims she was unable to obtain pain medication following surgery because her medical records were inaccessible in the hours following the attack, and another patient claimed that x-rays were lost as a result of the attack.

Health systems, hospitals and medical practices should heed this and other attacks as a warning to strengthen the cybersecurity of their computer systems or face the threat of ransoms, lawsuits, and possible regulatory penalties.