Ascension faces class action lawsuits for Black Basta ransomware attack | #ransomware | #cybercrime

Photo: Andrew Brooks/Getty Images

Ascension is facing two class action lawsuits for the May 8 ransomware attack that reportedly continues to disrupt operations due to disconnection from the Epic EHR and is causing long ER wait times for some of the health system’s 140 hospitals.

On May 12, Katherine Negron filed a class action complaint against Ascension in the U.S. District Court for the Northern District of Illinois. On May 13, Ana Marie Turner filed a similar lawsuit in federal court for the Western District of Texas. Both civil lawsuits, filed by the Law Offices of T.J. Jesky in Chicago, seek monetary damages and demand a jury trial.

The Black Basta ransomware attack brought down the Ascension IT Systems, the complaints said, citing the FBI and Cybersecurity and Infrastructure Security Agency (CISA).

The lawsuits allege that Ascension failed to safeguard personal identifying information and protected health information. Because of the cyberattack, the plaintiffs were unable to effectively communicate with their healthcare providers through the MyChart patient portal or receive the requisite medical care and attention they needed, the complaint said. 


The ransomware attack resulted in the unauthorized disclosure of PHI including names, dates of birth, patient records, Social Security numbers and other PHI, the lawsuits said.

“Plaintiff and the Class also now forever face an amplified risk of further misuse, fraud and identity theft due to their sensitive Personal Information falling into the hands of cybercriminals as a result of the tortious conduct of the defendant,” said the Negron lawsuit.

Ascension failed to implement “reasonable and industry standard data security practices,” the lawsuit said. “The Data Breach was a direct result of Defendant’s failure to implement adequate and reasonable cyber-security procedures and protocols necessary to protect patients’ Private Information from a foreseeable and preventable cyberattack.”

In addition, according to the complaint, “(the) Defendant maintained the Private Information in a reckless manner. In particular, the Private Information was maintained on Defendant’s computer network in a condition vulnerable to cyberattacks.”

The plaintiffs also want improvements to Ascension’s data security systems, future annual audits and adequate credit monitoring services.


The cyberattack affected one of the largest health systems in the country, on the heels of a February ransomware attack that continues to impact Change Healthcare. Change is owned by Optum, which is affiliated with the largest insurer in the nation, UnitedHealthcare.

Change, which offers claims management, was immediately taken offline after the ransomware attack. While systems are coming back online, the disruption continues to affect hospital and physician practice revenue due to delays in claims payment.

UnitedHealth Group CEO Andrew Witty confirmed the company paid a $22 million ransom in bitcoin to protect personal health information.

Email the writer: [email protected]

Source link


National Cyber Security