Alabamans File Class Action for Patient Data Hack - U.S. Eleventh Circuit
U.S. Eleventh Circuit - The FindLaw 11th Circuit Court of Appeals Opinion Summaries Blog

Alabamans File Class Action for Patient Data Hack

It's been a slow week in the Eleventh Circuit. Last week, though, was a doozey. A Florida judge ruled the state's same-sex marriage ban unconstitutional. Alabama's Supreme Court said that injured consumers could go after brand-name pharmaceutical companies for problems caused by generics (provoking no small amount of controversy).

With high courts in each state in the Eleventh remaining quiet, this week we have some (alleged) Chinese hackers and a class action lawsuit.

Want to spend more time practicing, and less time advertising? Leave the marketing to the experts.

Hacker's Paradise

The trouble started when Community Health Systems, a national chain of hospitals and facilities, was hacked by what one cybersecurity firm believed was the "Advanced Persistent Threat" group from China. "Advanced persistent threat" is a generic phrase for long-term, covert hacking, conducted by computer professionals -- often at the behest of foreign governments, according to the Infosec Institute.

AL.com noted that hackers like this are usually after medical device development information, but in this case, only non-medical patient data were taken, but that included names, birthdates, and social security numbers. No one's quite sure what Chinese hackers would want with patient personal information, outside of a little bit of the old identity theft.

And Now, a Lawsuit

By now, it's turned out that the hacking wasn't limited just to Alabama: the breach affected 206 hospitals in 29 states, reported AL.com. To that end, five patients filed a federal class action lawsuit, alleging that hospital officials failed to adequately protect patient information. They claim that there are potentially 4.5 million members in the class -- the number of people whose medical records CHS stored.

The case will turn, naturally, on CHS' security mechanisms and whether those mechanisms were sufficient. Generally, there's no duty to protect someone from a third party's criminal acts unless those acts were foreseeable. Venture Beat reported that hackers were able to access CHS' patient data by exploiting the infamous Heartbleed bug: "And here, some security analysts believe, CHS is at fault. The Heartbleed security bug was discovered in April, so CHS had time to take precautions." The ubiquity of the Heartbleed bug, combined with the knowledge that foreign espionage can and does happen, could be enough to trigger liability on CHS' part.

The lawsuit was just filed, so we'll see where this goes. In these preliminary stages, the first step will be deciding whether class action status is even warranted. After that, most likely a settlement.

Related Resources: