Law Street Media

Marietta Healthcare to Face HIPAA Complaint

Analyzing samples in test tube backgrounds at laboratory.

Last week, Kathleen Tucker filed a purported class action against Marietta Healthcare Inc. on behalf of individuals affected by a data breach allegedly discovered on the defendant’s computer systems on August 14, 2021. Tucker filed the action in the United States District Court for the Southern District of Ohio.

The plaintiff alleges that in August 14, 2021, the defendant, a comprehensive healthcare provider,  identified malware on its servers for its three hospitals in Ohio and West Virginia.  The complaint further alleges that the intruders, identified in news articles as “Hive ransomeware,” had had system access since July 10, 2021.  The complaint avers that defendant resolved the systems  issues on August 15, 2021, but not before the hackers had stolen, among  other data, patients’ personal information.

The hackers allegedly obtained both patients’ Personally Identifiable Information and Protected Health Information.  The complaint defines the class as “All persons Memorial Health identified as being among those impacted by the Data Breach…” and includes a “Customer Subclass”  of “All patients and/or customers Memorial Health identified as being impacted bin the Data Breach.”  According to the complaint, the class is comprised of “approximately 216,478 Members.”

The complaint contains four causes of action: Negligence; Negligence Per Se; Breach of Implied Contract and Unjust Enrichment.  The negligence count alleges a breach of the duty of care to use reasonable security measures to protect  data; the negligence per se count alleges  that the failure to employ reasonable security measures constitutes a violation  of the Federal Trade Commission Act as an unfair practice; the breach of implied contract count alleges an implied contract to safeguard information and timely notify class members of the breach (which did not allegedly happen until January 2022); and the unjust enrichment count alleges that class members paid defendant in part for data security measures that defendant did not provide.  This fourth count is pled “in the alternative to Counts 3 and 4 (breach of express and breach of implied contract.)”  However, there is no count for breach of express contract otherwise in the complaint.

 Counsel for the alleged class are Markovits, Stock & DeMarco and the Lyon Firm, LLC, both located in Cincinnati.

Exit mobile version