Knoxville-based East Tennessee Children's Hospital is facing a lawsuit after a number of patients' personal health information was exposed in a March 2022 data breach, 10News reported June 2.
The lawsuit claims that the hospital was negligent in how it handled the data breach. It also claimed that the hospital failed to protect the personal health information of patients.
The data breach, which occurred between March 11 and March 14, had disrupted key care services at the hospital. Email and X-ray services were also affected as they had to be taken offline during the attack.
On March 18, the hospital discovered that an unauthorized person may have viewed or copied certain documents from its system.
An April 19 investigation later determined that certain patient information such as names, dates of birth, Social Security numbers, driver's license or state identification numbers, non-resident identification numbers, medical information, health insurance information, credit or debit card information, financial information, billing information, and usernames and passwords were among the documents.
An East Tennessee Children's Hospital spokesperson told Becker's that the hospital could not comment on pending litigation, however, it released the following statement:
"Along with providing outstanding patient care, the confidentiality, privacy, and security of information within our care are among East Tennessee Children's Hospital’s highest priorities. Upon identifying this incident, we promptly took steps to secure our systems and investigate the full scope of the event. We are also reviewing and strengthening existing policies, procedures, and safeguards related to cyber security and have already taken additional steps to further enhance the security of our systems.
"We notified federal law enforcement of this incident, as well as appropriate state and federal regulators. We also mailed notices with information about the incident to those individuals for whom we have address information and, as an added precaution, we are providing individuals with credit monitoring and identity theft protection services at no cost. Information on the services and instructions on how to enroll in these services is included in the letter mailed to individuals."