St. Louis-based Ascension is already facing two proposed class-action lawsuits just days after the cyberattack on the 140-hospital system.
Complaints were filed May 12 by patient Katherine Negon in U.S. District Court for the Northern District of Illinois and May 13 by patient Ana Marie Turner in U.S. District Court for the Western District of Texas over the May 8 ransomware attack.
The lawsuits, which were both brought by the Law Offices of T. J. Jesky in Chicago, claim that Ascension failed to encrypt its patients' data, leaving it vulnerable to hackers. Ascension patients are "now at a heightened risk of identity theft for years to come," the complaints state.
"Ascension remains focused on safely caring for our patients and swiftly restoring our systems," a health system spokesperson emailed Becker's. "We are conducting a thorough investigation of the incident with the support of leading cybersecurity experts and law enforcement. If we determine sensitive data was potentially exfiltrated or accessed, we will notify and support the affected individuals in accordance with all relevant regulatory and legal obligations."
The plaintiffs seek monetary damages and injunctive and declaratory relief from Ascension "arising from its failure to safeguard" patients' personally-identifying and protected health information. The lawsuits claim that each affected patient will require an estimated $200 a year for credit and identity theft monitoring for at least five years.