Pa. Hospital's Data Breach Put Patients at High Risk of Fraud, Class Action Alleges
Plaintiff Robert Marrone and nearly 169,000 class members who were victims of a September data breach at Warren General Hospital in Warren, Pennsylvania, are at “significantly increased risk of fraud,” alleged a Nov. 22 class action (docket 1:23-cv-00330) in U.S. District Court for Western Pennsylvania in Erie.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
As a result of the hospital’s “inadequate data security,” its breach of duty to handle personally identifiable information (PII) and personal health information (PHI) with reasonable care, and its failure to maintain the confidentiality of patients’ medical records and PHI, that personal information has been “accessed by hackers, exfiltrated, and exposed to an untold and potentially growing number of unauthorized individuals,” said the complaint.
Warren General announced Nov. 9 it experienced a data breach after learning Sept.15-23 that an unknown, unauthorized bad actor had accessed, downloaded and exfiltrated confidential patient data, said the complaint. Stolen data included names, addresses, dates of birth and Social Security numbers; financial account, payment card and health insurance claims information; plus medical information such as diagnosis, medications, lab results and other treatment data, it said.
As a result of the breach, and at the direction of the defendant’s letter, the Warren County resident made reasonable efforts to mitigate the impact of the data breach by reviewing credit reports and financial statements for indications of attempted identity theft or fraud, the complaint said. He has done this “every day since learning of the breach and has spent many hours so far” dealing with the breach -- valuable time he otherwise would have spent on other activities, it said.
Marrone’s injuries suffered from the data breach include damage to and diminution of his PII and PHI, violation of privacy; loss of confidence in his healthcare provider; increased anxiety; time spent reviewing credit reports and financial account statements; a “marked, recent increase in spam” emails calls and texts; and “present, imminent, and impending injury arising from the increased risk of identity theft and fraud,” it said.
Marrone asserts claims of negligence, breach of fiduciary duty, breach of confidences and violation of the Pennsylvania Unfair Trade Practices and Consumer Protection Law. He seeks for himself and the class compensatory, statutory, treble and/or punitive damages; an order of restitution, disgorgement and other forms of equitable monetary belief; declaratory and injunctive relief; pre- and post-judgment interest; and reasonable attorneys’ fees and legal costs.