A lawsuit filed in the District Court of Dallas County alleges inadequate security and monitoring were behind the hack of Baptist Health System, a Tenet Health affiliate (Photo credit: "Dallas County Courthouse" by Nelo Hotsuma is licensed under CC BY 2.0.).

A lawsuit has been filed against Tenet Healthcare and its Texas affiliate Baptist Health System following Tenet's breach notification to 1.2 million patients that their data was stolen during a systems’ hack in March. 

The patient who filed the lawsuit is seeking $1 million in monetary relief for the class action and claims his individual damages are less than $75,000.

Filed in the District Court of Dallas County, the suit claims the stolen data was not encrypted ahead of the cyberattack. It should be noted that under the Health Insurance Portability and Accountability Act data encryption is not required if the provider has a documented, alternative security mechanism in place.

As previously reported, Baptist Medical Center and Resolute Health Hospital first discovered a systems’ intrusion on April 20, several weeks after the incident began. A threat actor installed malicious code on certain network systems, prompting the provider to suspend user access to the affected IT applications.

The investigation into the intrusion found the attackers used their weeks-long access to remove data containing patient information from the network.

While the stolen data did not include any driver’s licenses, credit and debit card information, or bank account details, it may have involved Social Security numbers, demographics, contact details, health insurance information, medical record numbers, dates of service, diagnoses, treatments, facility names, reason for visit, claims data, billing codes, and other sensitive data.

The notice shows the providers improved their monitoring capabilities and systems security after the incident, something the lawsuit argues should have happened ahead of the hack.

“On information and belief, BHS and its employees failed to properly monitor the computer network and IT systems that housed the private information,” according to the suit. In addition, the patient data was maintained in a “condition vulnerable to a cyberattack.”

The lawsuit goes on to claim the hospitals were aware their systems’ security mechanisms were a “known risk” and thus, officials were “on notice that failing to take steps necessary to secure the private information from those risks left that property in a dangerous condition.”

Notably, the lawsuit aruges that patients were not notified of the breach in a timely fashion. However, Baptist Health issued its notification well within the requirements outlined in HIPAA: within 60 days of discovery and without undue delay.

As a result of the data theft and “negligent conduct,” the impacted patients argue that they’re at a heighten risk of identity theft as the data is now in the hands of threat actors. The data could be used for a number of fraudulent activities, including opening accounts or taking out loans in the victims’ names. The data may also be used to target victim with other phishing campaigns.

Although the lawsuit claims the breach victims have “been exposed to a heightened and imminent risk of fraud and identity theft,” it fails to provide any specific details of actual harm experienced by the patients as a direct result of the incident.

In June 2021, the Supreme Court ruled that only individuals “concretely harmed” by a breach violation have standing to seek damages against an entity.

The lawsuit is seeking compensatory damages, reimbursement of out-of-pocket costs, and injunctive relief, which could include requirements for the hospital to improve its systems security, submit to annual audits, and provide victims with adequate credit monitoring services.