Dive Brief:
- A judge allowed part of a class action lawsuit against health system Ascension over a large data breach last year to move forward.
- In an order Tuesday, Judge John Ross ruled plaintiffs’ allegations that the health system was negligent in safeguarding their data amid a major ransomware attack last spring could continue in court. He also allowed several claims related to state consumer protection laws to advance.
- However, the judge dismissed other claims brought against the large nonprofit, including allegations Ascension had breached a contract by failing to protect health data and that the provider had unjustly profited at patients’ expense by neglecting adequate security measures.
Dive Insight:
Ascension, which operates more than 100 hospitals and senior living facilities across the country, was hit by a ransomware attack in May 2024.
The attack took down critical technology like its electronic health record system, and forced some facilities to send emergency cases to nearby hospitals. The incident also compromised the data of more than 5.4 million people, according to a report with federal regulators.
The lawsuit, filed last year about a week after the cyberattack was initially detected, alleges Ascension failed to equip its computer system with essential security measures, allowing cybercriminals to access patient data.
As a result, plaintiffs argue they face “imminent and ongoing risk” of identity theft, and must monitor their accounts for signs of fraud and manage spam calls and messages.
Some patients also alleged specific problems linked to the data breach, including reports of fraudulent charges to a bank account, delayed care due to the cyberattack and finding protected health information had been posted to the dark web.
But Ascension moved to dismiss the suit, saying plaintiffs hadn’t suffered any injury due to the cyberattack and couldn’t connect credit irregularities or dark web notices specifically to the breach.
However, the judge ruled that the risk of future injury due to the attack is high enough, given the nature of the personal information exposed and the reports of suspicious bank activity.
Plaintiffs’ allegations of present injury were also enough to establish standing in court, though the judge noted spam calls and texts couldn’t be clearly traced to the Ascension attack.
“Though Ascension contends that isolated incidents of suspicious bank or dark web activity could be attributed to other causes, Plaintiffs plead that these events occurred after and as a result of the breach and believe that their injuries are traceable to it,” Ross wrote. “The Court accepts the pleadings as true at this early stage and finds them sufficient to entitle Plaintiffs to discovery on the issue.”
Ascension did not respond to a request for comment by press time.
Cybersecurity has become a major challenge for the healthcare sector, as hackers increasingly target providers and other organizations for their valuable patient data stores.
Data breaches in healthcare are also particularly expensive for healthcare organizations. Ascension recorded a $1.1 billion net loss in 2024, largely due to impacts from the cyberattack like delays in revenue cycle processes and remediation costs.
But the provider returned to profitability in 2025, reporting $917.7 million in net income for the year ended June 30.