Five patients from Alabama have filed a federal class action lawsuit against a Tennessee-based hospital system after 4.5 million people across the U.S. were affected by a data breach.
In August, Community Health Systems disclosed that its computer system had been cyber-attacked in April and June.
The breach, which affected 206 hospitals in 29 states, involved non-medical personal information such as names, addresses, birth dates, telephone numbers and social security numbers.
The lawsuit was filed Aug. 21 in the Northern District of Alabama on behalf of five Alabama residents who were treated at Riverview Regional Medical Center, Gadsden Regional Medical Center, South Baldwin Regional Medical Center and Stringfellow Memorial Hospital.
The class action suit claims that the plaintiffs’ information was compromised because the hospital system failed “to implement and follow basic security procedures.” Hospital officials allegedly did not adequately protect or encrypt patients’ sensitive information.
The complaint also claims that Community Health Systems and its hospitals did not promptly notify patients who were affected by the breach.
The suit alleges breach of contract, breach of implied contract, breach of implied covenant of good faith and fair dealing, unjust enrichment, money had and received, negligence, negligence per se, wantonness, invasion of privacy, and violations of the Fair Credit Reporting Act.
According to a company filing with the Securities and Exchange Commission, the cybersecurity firm Manndiant believes the attacker was an “Advanced Persistent Threat” group from China. According to the SEC filing, Community Health Systems “is providing appropriate notification to affected patients and regulatory agencies…The company will also be offering identity theft protection services to individuals affected by this attack.”