21,000-Record Data Breach Sparks Trinity Health Class Action Lawsuit

Posted by Steve Alder

A class action lawsuit has been filed in the U.S. District Court for the Southern District of Iowa against Trinity Health, Mercy Health Network, and Mercy Medical Center – Clinton over a cyberattack and data breach that affected 21,000 patients.

Livonia, MI-based Trinity Health, which operates Mercy Health Network and Mercy Medical Center – Clinton in Iowa, discovered a cyberattack on April 4, 2023, the forensic investigation of which confirmed hackers had gained access to systems containing patients’ protected health information on March 7, 2023, and maintained access to those systems until April 7, when its systems were secured. The data exposed and potentially stolen in the attack included names, addresses, birth dates, Social Security numbers, diagnosis codes, treatment information, prescription information, and service/discharge. Trinity Health offered affected individuals complimentary credit monitoring services for 12 months.

On June 12, 2023, a lawsuit was filed on behalf of plaintiff Jennifer Medenblik that alleges the defendants failed to protect the sensitive data of patients and monitor its systems for intrusions, which allowed hackers to gain access to its network and the protected health information of 21,000 patients and remain undetected within its systems for a month. The lawsuit alleges violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, and a failure to follow healthcare industry best practices for protecting sensitive data and Federal Trade Commission (FTC) guidelines.

Trinity Health notified affected patients about the attack; however, the lawsuit claims those notifications were inadequate, and failed to provide the necessary support. The lawsuit also claims that the defendants have not provided satisfactory assurances to patients that the impacted data has been recovered or deleted nor that adequate cybersecurity measures have been implemented post-data breach to prevent further security breaches in the future.

The 8-count lawsuit – Medenblik v. Trinity Health Corporation et al, includes allegations of negligence, breach of contract, and breach of confidence, and claims the plaintiff and class members have suffered and are at an imminent, immediate, and continuing increased risk of suffering ascertainable losses. The lawsuit seeks class action status, a jury trial, an award of damages, and funds to cover a lifetime of credit monitoring services and identity theft insurance for the plaintiff and class members.

The post 21,000-Record Data Breach Sparks Trinity Health Class Action Lawsuit appeared first on HIPAA Journal.

Senate Committee Advances Rural Hospital Cybersecurity Enhancement Act

Posted by Steve Alder

The Senate Homeland Security and Governmental Affairs Committee has advanced a bill that seeks to address the current shortage of cybersecurity skills in rural hospitals, which are increasingly targeted by cybercriminals. Rural hospitals do not have the resources available to invest in cybersecurity and struggle to recruit skilled cybersecurity professionals and, as such, are seen as soft targets by cybercriminals.

The Rural Hospital Cybersecurity Enhancement Act, which was introduced by Sen. Josh Hawley (R-MO) and co-sponsored by Sens. Gary Peters (D-MI) and Jon Ossoff (D-GA), calls for the development of a comprehensive rural hospital cybersecurity workforce development strategy to address the current shortage of cybersecurity staff at rural hospitals. The Rural Hospital Cybersecurity Enhancement Act requires the Secretary of the Department of Homeland Security to develop a comprehensive rural hospital cybersecurity workforce development strategy to address the growing need for skilled cybersecurity professionals in rural hospitals within a year of enactment of the act.

When developing the cybersecurity workforce development strategy, the Secretary should consider partnerships between rural hospitals, private sector entities, educational institutions, and non-profits to expand cybersecurity education and training programs tailored to the needs of rural hospitals, the development of a cybersecurity curriculum and teaching resources for rural educational institutions, and make recommendations for legislation, rulemaking, and/or guidance for implementing the strategy.

Rural hospitals are operating under increasing financial pressure and lack the necessary funding for cybersecurity. Currently, few rural hospitals have dedicated cybersecurity workers and IT staff are generally in short supply and overworked. Cybersecurity positions in rural hospitals typically have low remuneration, and the lack of funding means individuals who take on cybersecurity roles do not have access to the latest cybersecurity tools that would be at their disposal in other positions. The global shortage of skilled cybersecurity professionals is unlikely to be resolved in the short to medium term, so the aim of the bill is to address the shortage through teaching programs at rural educational institutions and developing rural hospital workforces through education on fundamental aspects of cybersecurity.

Sen. Rand Paul (R-TX) tabled an amendment to the original bill, stipulating that CISA should not ask for additional funds for the proposed measures, and the amended bill will now head to the Senate floor for a vote. The advancement of the Rural Hospital Cybersecurity Enhancement Act occurred a few days after the announcement that a rural hospital in Illinois will permanently close on June 16, 2023, due, in part, to the financial pressures caused by a ransomware attack.

“I am encouraged Congress is taking bipartisan action to shore up the ability of small-town hospitals to defend themselves from cyberattacks,” said Senator Hawley. “We must continue working diligently to improve cybersecurity preparedness in rural hospitals to both protect the sensitive medical and personal data of American patients and defend our national security.”

The post Senate Committee Advances Rural Hospital Cybersecurity Enhancement Act appeared first on HIPAA Journal.