CommonSpirit negligently failed to protect sensitive health information, resulting in a data compromise affecting more than 623,000 patients – and perhaps many more, allege plaintiffs in two proposed federal class action lawsuits filed in the aftermath of the hospital chain’s 2022 ransomware attack.
The lawsuits – one filed on Jan. 13, and the other on Dec. 29, 2022 – are each being heard in the U.S. District Court for the Northern District of Illinois, where Chicago-based CommonSpirit has its headquarters.
While both lawsuits make similar claims against CommonSpirit, one of the complaints alleges that although CommonSpirit has reported that only its Virginia Mason Franciscan Health entities in Washington state were affected by the data breach, the actual number of affected individuals could be in the tens of millions.
CommonSpirit, a nonprofit Catholic chain of 142 hospitals and nearly 2,200 care sites across 21 states, is the product of a 2019 merger between Catholic Health Initiatives and Dignity Health. CommonSpirit, which acquired Virginia Mason Franciscan Health in 2021, is at least the fourth-largest healthcare organization in the United States.
Beyond the entities that CommonSpirit reported as having been affected by the incident, “other medical systems in Defendant’s system have experienced significant disruptions in their operations which included doctors giving patients wrong doses of medication and patients not being able to schedule appointments,” the lawsuit filed by plaintiff Jose Antonio Koch alleges.
The actual number of victims is potentially 20 million individuals, the complaint alleges.
