A federal judge has ruled that parts of a class-action lawsuit against St. Louis-based Ascension over a ransomware attack in 2024 can move forward, while other claims will be dismissed.
The lawsuit, filed in May 2024 by former patients, accuses the nonprofit health system of failing to protect sensitive personal and medical information exposed in the breach. Plaintiffs say hackers accessed data including Social Security numbers, medical records, and financial account information.
In a Sept. 23 order obtained by Becker’s, the U.S. District Court for the Eastern District of Missouri said plaintiffs had shown enough evidence to pursue negligence and negligence per se claims, finding that the patient-provider relationship created a duty for Ascension to safeguard health data. The judge also allowed negligence per se claims tied to alleged violations of HIPAA regulations to proceed.
However, the court dismissed claims for breach of express and implied contract, unjust enrichment, and invasion of privacy. The judge ruled that Ascension’s privacy notices did not create contractual obligations and that the invasion of privacy claim could not proceed because the data theft was perpetrated by hackers, not directly by Ascension.
The plaintiffs represent a proposed nationwide class and state subclasses in Arkansas, Florida, Illinois, Indiana, Michigan, Oklahoma and Wisconsin. They allege injuries ranging from fraudulent charges and identity theft to delayed medical procedures.
Ascension operates 140 hospitals across 19 states. After the May 8, 2024, attack, the health system offered patients two years of credit monitoring, identity theft insurance and recovery services.
The post Judge allows portions of Ascension data breach lawsuit to proceed appeared first on Becker’s Hospital Review | Healthcare News & Analysis.
Health IT
