Sep. 24—A December 2021 data breach is the topic of a lawsuit filed this week in Monongalia County Circuit Court.
It names Monongalia Health Systems Inc. (Mon Health) and affiliated hospitals, Monongalia County General Hospital Co., Stonewall Jackson Memorial Hospital Co. and Preston Memorial Hospital Corp. as defendants.
According to the lawsuit, on Feb. 28, Mon Health announced the security incident that compromised the protected health information (PHI) of at least 492, 861 individuals. The system determined that unauthorized parties accessed its IT network between Dec. 8-19, 2021 — when the system was alerted to unusual activity.
On Dec. 30, 2021, Mon Health determined that the data breach resulted in unauthorized access to information pertaining to its patients, providers, employees and contractors, the suit said.
An investigation into the breach found the unauthorized third party had access to sensitive patient information, including "names, addresses, dates of birth, Social Security numbers, Medicare health insurance claim numbers, patient account numbers, health insurance plan member ID numbers, medical record numbers, dates of service, provider names, claims information, medical and clinical treatment information and patient status, " the lawsuit states.
The plaintiffs, Rachel Silbaugh, Robin Stripling and Michael Stripling, claim their information and that of over 492, 000 potential class members was disclosed without authorization to an unknown third party as a result of the data breach and allege claims for negligence, breach of contract, breach of implied contract and breach of confidence.
The plaintiffs claim that as a result of Mon Health's "failure to implement and follow basic security procedures, " their information is now in the hands of criminals and class members now and forever will face an increased risk of identity theft.
The lawsuit also claims Mon Health's data breach resulted from insufficiencies that indicate the health care system failed to comply with safeguards mandated by HIPAA (Health Insurance Portability and Accountability Act).
According to the plaintiffs' claims, Mon Health began mailing letters to those whose information had been compromised on Feb. 28 — nearly two months after the investigation concluded.
"The notice letters plaintiffs and class members received were untimely and woefully deficient, " the suit states, "failing to provide basic details concerning the data breach."
Mon Health's delay in identifying and reporting the breach deprived plaintiffs and class members of the ability to promptly mitigate potential adverse consequences from the data breach, the lawsuit claims.