Getty Images/iStockphoto

DCH Health Faces Federal Lawsuit After 10-Day Ransomware Attack

Patients impacted by the 10-day EHR downtime at DCH Health in Alabama have filed a class-action lawsuit, claiming a ransomware attack on the three hospitals disrupted their medical care.

Alabama-based DCH Health System is facing a federal lawsuit following a ransomware attack that disrupted care for non-critical patients for about 10 days in October, first reported by local news outlet Tuscaloosa Real-Time New.

During the first week of October, DCH closed the door to its three hospitals DCH Regional Medical Center, Northport Medical Center, and Fayette Medical Center. The attack limited the use of the computer systems, while staff worked to recover and operated under downtime procedures.

While the health system launched its emergency procedures, officials at the time said that the hospitals were closed to all but the most critical patients out of concern for patient safety. Clinicians were only caring for patients currently admitted to the hospital before the cyberattack.

At the time, patients arriving at the emergency department were cared for until they were stabilized, but officials said there was potential for those patients to be transferred to another hospital. DCH worked closely with federal authorities, staff, and vendors throughout the attack to minimize the risk to patient safety and recover from the attack.

But the class-action lawsuit filed by four patients on December 23 argues that patients were unable to access their health information due to the security incident. Further, patients alleged DCH violated HIPAA, as the hackers could have gained access to their medical records during the attack.

What’s more, the patients argued that they were forced to forgo medical care during the extended EHR-downtime.

Specifically, one of the patients named in the suit claimed they were unable to access the medications prescribed to them after surgery. Meanwhile, the mother of a patient who suffered from a severe allergic reaction during the security incident was redirected to another care provider, which delayed the patient’s recovery time.

“Because of the ransomware attack, plaintiffs and class members had their medical care and treatment as well as their daily lives disrupted. As a consequence of the ransomware locking down the medical records of plaintiffs and class members, plaintiffs and the class members had to forego medical care and treatment or had to seek alternative care and treatment,” according to the lawsuit.

“Defendant breached its obligations to plaintiffs and class members and or was otherwise negligent and reckless because [of its] failing to properly maintain and safeguard its computer systems and data,” the suit continued.

DCH is just the latest in ongoing health data breach lawsuits in the last year. Most recently, Solara Medical Supplies was hit with a class-action lawsuit, following a months-long breach that impacted about 114,000 patients.

Shortly after, Kalispell Regional Healthcare was sued over a three-month phishing attack that potentially breached the data of about 140,000 patients.

Dig Deeper on Cybersecurity strategies