Getty Images
Universal Health Services Lawsuit: 2 Claims Dismissed, Citing Lack of Harm
A judge has dismissed two out of three claims made in a lawsuit against Universal Health Services, citing a lack of harm. One claim remains due to care delays during a 2020 ransomware attack.
The US District Court for Pennsylvania’s Eastern District recently dismissed two out of three claims made in a lawsuit filed against Universal Health Services, citing a lack of harm. The suit stemmed from its massive EHR outage caused by a ransomware attack in the Fall of 2020.
UHS was one of the first US health systems to be hit with the ransomware wave that targeted the healthcare sector during the last quarter of 2020. The attack began around 2AM on September 27 and shut down systems in the emergency department and proliferated across the network.
The workforce took to social media to report widespread system outages and technical failures, including a lack of access to computers, phones, the internet, and data center. Staff reported the hard drives were lit up with activity prior to all computers being shut down.
The attack was attributed to the Ryuk hacking group. All 400 US care sites were affected by the ransomware incident, driving all sites into EHR downtime procedures. Ambulances were diverted directly following the attack, and some appointments and surgeries were delayed.
It took at least three weeks for the health system to recover, causing $67 million in lost revenue and recovery costs. Sen. Mark Warner, D-Virginia, also launched an inquiry into the health system’s security policies and procedures, due to concerns brought to light by the attack.
Soon after the incident was made public, three patients filed a lawsuit against UHS. Two of the individuals claimed UHS failed to safeguard their protected health information, which they allege was exposed to the Ryuk hackers in September 2020.
As a result, the two individuals claimed they are at an increased risk of identity theft and have faced additional expenditures of time and money to monitor for fraud against their credit and financial accounts, as well as a “diminished value of their PHI.”
The presiding Federal Judge, Gerald McHugh, has dismissed those two allegations given the “narrow definition of injury... adopted for data breach cases” in the case Reilly v. Ceridian Corp. in 2011.
“Costs incurred to watch for a speculative chain of future events based on hypothetical future criminal acts are no more ‘actual’ injuries than an alleged increased risk of injury,” according to the 2011 ruling.
“That a plaintiff has willingly incurred costs to protect against an alleged increased risk of identity theft is not enough to demonstrate a concrete and particularized or actual or imminent injury,” it added.
The lawsuit will be allowed to proceed with a claim made by one other patient, as the individual’s surgery was delayed for six weeks as a direct result of the cyberattack.
The man was unable to return to work due to the missed surgery, which resulted in a lapse of insurance and required the patient to purchase alternative insurance at a higher rate.
The judge determined that the economic loss satisfies as a concrete injury, but that “further development of the record is required to determine whether there is a sufficient causal relationship to confer standing.”
“To demonstrate standing to file suit, Plaintiffs must show an ‘injury in fact or an ‘invasion of a legally protected interest’ that is ‘concrete and particularized,’ a ‘causal connection between the injury and the conduct complained of,’ and a likelihood ‘that the injury will be redressed by a favorable decision,’” the judge explained.
“Even so, an injury-in-fact ‘must be concrete in both a qualitative and temporal sense,’” he continued. “For this reason, ‘allegations of possible future injury,’ will not suffice, and a plaintiff ‘lacks standing if his ‘injury’ stems from an indefinite risk of future harms inflicted by unknown third parties,’” he concluded.
As such, the remaining claim is allowed to proceed as the patient has an alleged, sufficient injury-in-fact that is not speculative or manufactured in nature.
The decision may impact future healthcare data breach lawsuits, which have been highly common in light of the rise in incidents over the last two years. While most cases are settled out of court, actual harm is typically the crux of decisions that lead to dismissals.
For example, the Delaware Superior Court dismissed a breach lawsuit against Brandywine Urology Consultants in February, as the victims failed to provide evidence of injuries or losses incurred by a 2020 security incident.
Much like the UHS event, Brandywine Urology Consultants was hit by a ransomware attack that lasted for two days before it was discovered. It was confined to the network and did not infect the electronic medical record system.