How Much of a Risk Is a Potential Class-action Lawsuit against CommonSpirit?

CommonSpirit Health, one of the nation’s largest health systems is facing a proposed class-action lawsuit over a ransomware attack it suffered last fall.

How perilous is this for a health system already strained by challenging finances?  At least one lawyer believes that like many lawsuits following a data breach, it will be settled out of court.

“It’s almost axiomatic,” said David Balser, a partner at Atlanta law firm King & Spalding. “If a data breach is announced, litigation is going to follow — whether or not the claims are meritorious.”

That litigation is being brought by Leeroy Perkins, who is one of the 623,774 patients notified by the health system that their data had been breached in a ransomware attack. Perkins filed the complaint December 29 against CommonSpirit, a nonprofit health system with headquarters in Chicago. Perkins has been a patient at Seattle-based Virginia Mason Franciscan Health, one of CommonSpirit’s subsidiaries, since 2003.

CommonSpirit operates 140 hospitals and more than 1,000 care sites across 21 states, according to its website. The health system did not respond to MedCity News‘ request for comment on the lawsuit.

An unauthorized third party obtained access to “certain portions of CommonSpirit’s network” from September 16 to October 3, according to a notice the health system posted about the data breach. During this time, CommonSpirit experienced EHR downtime and suffered appointment cancellations across its network of hospitals.

The exposed patient information included names, addresses, phone numbers, dates of birth, and “a unique ID used only internally by the organization,” according to CommonSpirit’s notice. The health system said it “has no evidence” that any of this personal information was misused as a result of the cybersecurity incident.

The lawsuit claims that the health system “failed to properly implement basic data security practices” and did not “employ reasonable and appropriate measures” to protect against unauthorized access to patient data. The complaint also said that this negligence has left patients vulnerable to identify theft and financial fraud. 

In his complaint, Perkins asked for class-action status. He also demanded damages, restitution, all other forms of equitable monetary relief, and declaratory and injunctive relief.

The vast majority of hospitals’ data breach lawsuits get settled, though, Balser declared. This is because there must be “some concrete harm or injury” to permit the case to go forward into court, he said. 

The mere fact that information was accessed by ransomware attackers doesn’t automatically create a claim for a plaintiff, Balser pointed out. He also said that health systems usually have insurance that will kick in to cover data breach claims.

Last year, Balser represented Capital One for a data breach case. The company faced a lawsuit over a 2019 data breach that exposed the information of more than 100 million customers, and the banking giant ended up issuing a $190 million class-action settlement. Balser said that to his knowledge, that case got further than any other data breach lawsuit. It went all the way through class certification and summary judgment briefing, but the case settled before the court could move on any of those motions. 

“At the end of the day, there is not a data breach case that I’m aware of that has actually gone to trial. Either the defendant gets the case thrown out or it gets resolved,” he said.

Photo: Valerii Evlakhov, Getty Images