Hackensack Meridian Health Sued Because of Hospital Ransomware Attack

Hackensack Meridian Health Inc. is facing a proposed class action lawsuit filed by two people who allege patients’ personal identifying information was breached during a hospital ransomware on Dec. 2.

Named plaintiffs David Aranowitz and Roxane Campagna accuse the medical services network of negligent conduct for allowing computer security to be so lax, thousands of patients’ data was compromised and may be used by identity thieves or for other reasons on the dark web.

The ransomware attack caused Hackensack Meridian Health’s computer network to be down for two days, which left patients, families, doctors and nurses unable to depend upon about 100 scheduled surgeries or procedures.

Hackensack Meridian Health is the state’s largest hospital network and includes 17 hospitals and 200 health care and rehabilitation offices in New Jersey.

Hackensack Meridian Health admitted the company had fallen victim to a ransomware attack on Dec. 13. The cyber attackers encrypted the hospital’s database and demanded a ransom before they alleged they would come forth with a key that would allow the hospital personnel to unlock the encryption.

Hospital Ransomware Demands Met

Administrators said they paid the hackers the ransom fee, but did not say how much they paid to have access to their computer systems once again, according to CyberScoop.

The Federal Bureau of Investigation (FBI) has recommended companies not meet the ransom demands of cyber attackers because the culprits’ successful capture of money and data provides them with confidence to take another hospital’s data hostage. In some cases, hackers have broken their promise and not provided an encryption key even after receiving the money.

The FBI and cyber security firms have warned of potential increases in the number of hospital ransomware attacks for several reasons. The number of people included in a database and the amount of sensitive personal information stored on each person makes a hospital computer system a likely target. When hospital staff are unable to access patient data, the hospital becomes basically paralyzed. Patients who need surgery, procedures, medications and more are placed at risk, which adds to the urgency of needing the information back in the hands of hospital administrators.

According to the complaint against Hackensack Meridian Health, compromised information includes demographics, dates of birth, Social Security numbers, driver’s license or ID card numbers, employment information, health insurance information, medical information and other health data that is to be protected per HIPAA.

Aranowitz and Campagna allege that they and other affected consumers not only had their medical care and their lives disrupted, but also now face an increased risk of having their personal information used for identity theft or other fraudulent activity.

The complaint alleges Hackensack Meridian Health has not notified patients of the data breach. The U.S. Office of Health and Human Services posts a list of known data breaches on its website, and the Hackensack Meridian incident does not appear on that report.

A look at Hackensack Meridian Health’s website could find no mention of the ransomware attack or of the possibility patient information is in the hands of cyber thieves.

The Hospital Ransomware Lawsuit is David Aranowitz et al. v. Hackensack Meridian Health Inc., Case No. 2:20-cv-01409, in the U.S. District Court for the District of New Jersey.

Join a Free Hospital Ransomware Attack Class Action Lawsuit Investigation

If you were a patient at a hospital or healthcare facility affected by a ransomware attack that impacted your medical care, you may qualify to join a hospital ransomware attack class action lawsuit investigation.

Learn More

This article is not legal advice. It is presented
for informational purposes only.