A class action lawsuit against St. Joseph Hospital alleges the health system failed to protect personally identifiable information.
Covenant Health, the parent company of St. Joseph Hospital, was the target of a cyberattack, a spokesperson said in late May. A lawsuit filed Monday by Bangor resident Michael McClain alleges the health system was negligent in protecting private information.
St. Joe’s and Covenant “hold themselves out as a trusted data collector” and failed to protect that data, according to the lawsuit filed Monday in Penobscot County Superior Court. The class action lawsuit asks for monetary awards as allowed by law and does not name a specific amount of money.
The personally identifiable information that was potentially breached includes a person’s name, date of birth, Social Security number, phone number, email address and more. Medical records may also have been breached.
St. Joseph has not said what, if any, data was taken when the cyberattack happened. The hospital took systems offline on May 26 when it noticed “irregularities impacting connectivity across the organization.”
St. Joseph Hospital does not comment on pending litigation, the hospital’s Chief Communications Officer Karen Sullivan said.
Those connectivity issues are a “strong indicator” that private information was “likely compromised because of the cyberattack,” the lawsuit said.
The lawsuit said the systems breached an implied contract when the data was not safeguarded, as well as alleging St. Joe’s was unjustly enriched when it saved costs by using “cheaper, ineffective security measures.”
There is an ongoing risk of identity theft for McLain and members of the class action lawsuit because there is a link between a data breach and the sale of private information to criminals, according to the lawsuit.
