- Baltimore-based Johns Hopkins Health System was hit with a class action lawsuit Friday alleging negligence after the hospital system uncovered a third-party data breach in May.
- The lawsuit, filed in Maryland District Court, alleges the health system failed to implement safeguards to secure the personal health information and PII of those affected by the breach, according to the suit.
- Johns Hopkins discovered its data was compromised May 31 due to a widely exploited vulnerability in the MOVEit file transfer service. Hundreds of thousands of individuals could be impacted by the breach, according to the lawsuit.
The class action suit comes as hacking incidents at healthcare firms grow as more companies and health systems pivot to electronic health records. From 2010 to 2022, 385 million patient records were exposed due to data breaches, according to federal records.
Filed on July 7 by Pamela Hunter — a client of the hospital — the lawsuit alleges that the health system was aware of the “substandard” condition of its information systems, and broke its implied covenant of good faith by not maintaining adequate security protocols.
Johns Hopkins’ data breach occurred through an exploited vulnerability in its MOVEit file-transfer software. The MOVEit breach affected several government agencies, including the U.S. Department of Energy, and was attributed to the financially motivated ransomware group Clop.
In February, the HHS warned that Clop was responsible for breaches at healthcare organizations, including an attack at Tennessee-based Community Health Systems.
Although Johns Hopkins was aware of the data breach in May, the class action suit alleges that Hunter did not receive notice — or was even aware that the system stored her personal health data — until after receiving a letter dated June 24.
Although HIPAA requires hospitals to notify individuals of a data breach “without reasonable delay” and no later than 60 days following the discovery, the lawsuit claims that plaintiffs lost time dealing with potential consequences of the breach, and were given insufficient details regarding the stolen data.
“Plaintiff and the class members remain, even today, in the dark regarding what data was stolen, the particular malware used, and what steps are being taken to secure their PHI/PII and financial information going forward,” the lawsuit states.
Last year, the healthcare industry was the most common victim of third-party breaches as hospitals struggled to recover from the COVID-19 pandemic, according to a report from cyber intelligence firm Black Kite.
The industry’s poor cybersecurity protocols, combined with its interconnected health information systems, makes healthcare the highest risk sector for third-party vendor breaches, according to the report.
Just this week, HCA Healthcare reported a data security incident that may have affected more than 11 million patients.