Lawsuit alleges hospital intentionally hid weak data systems, failed to protect patient data
The lawsuit was filed on March 4 on behalf of two current patients, Ernest Farkas and Joseph Klingman, as well as any other patients affected by the ransomware attack.
Klingman declined to comment for this story. Farkas could not be reached for comment.
Raina Borrelli of Strauss Borrelli PLLC of Chicago, Illinois, an attorney representing the patients, declined to comment Wednesday on the lawsuit.
On Jan. 27, an unauthorized person accessed patients' personal data — which may have included names, Social Security numbers, birthdays, health insurance information and drivers' license numbers.
FHH on Feb. 6 began notifying people affected by the attack, according to the lawsuit.
The two patients named in the complaint have both experienced 'anxiety, sleep disruption, stress, fear, and frustration' due to a 'substantially increased risk of fraud, misuse, and identity theft,' the lawsuit says.
Although the total number of people impacted isn't known, the lawsuit alleges that over 100 people — potentially hundreds — were affected.
The complaint alleges that FHH failed to implement industry-standard cybersecurity measures and intentionally hid from patients that its data systems could be attacked and personal information could be accessed.
Due to FHH's 'unfair and deceptive acts and practices,' the lawsuit said, the patients affected will 'continue to suffer injury, ascertainable losses of money or property, and monetary and non-monetary damages, including from fraud and identity theft; time and expenses related to monitoring their financial accounts for fraudulent activity; an increased, imminent risk of fraud and identity theft; and loss of value' of their personal information.
FHH spokesperson Josh Faust said in a statement on March 28 that the hospital confirms it is the subject of a lawsuit related to the ransomware attack in January, but FHH can't comment on the specifics of ongoing legal proceedings.
FHH wants to 'assure our patients and the community that we take this matter seriously, and we are fully committed to resolving this issue responsibly and with integrity,' he said.
On March 28, FHH sent out letters to patients and staff who have been or may be impacted by the ransomware attack.
These letters include instructions of what people should do if they were affected by the attack. Tom Kleinhanzl, FHH's president and CEO, said FHH is offering people free identity theft protection and credit monitoring.
At the time the lawsuit was filed, it alleged, the hospital wasn't offering those services.
The complaint calls for a jury trial and asks for an unspecified monetary amount over $100,000 to be paid to the people affected.
FHH has until May 9 to respond.
Inadequate security measures, notices
Kleinhanzl said in an interview on March 27 that during the data breach, an unauthorized person accessed documents in a shared drive, which he described as an electronic storage closet for historical documents.
FHH's electronic medical records system, patient portal and emails were not accessed in the attack, but the company took its systems offline proactively.
The lawsuit said it is not known how long the unauthorized person had access to FHH's data network before the ransomware attack happened.
It also alleges that there are log-in credentials for Frederick Health employees on the 'Dark Web,' which cyber criminals may have used to access the company's systems if those credentials weren't reset.
The complaint alleges that FHH didn't adequately train its employees on cybersecurity and didn't have proper safeguards and security protocols in place to protect patients' personal and protected health data.
It also claims that because FHH waited to begin notifying people about the data breach, it deprived patients the earliest possible opportunity to start mitigating any suspicious activity or 'injuries' from their data being compromised.
Some of the damages the lawsuit claims people impacted by the attack may experience include:
* 'Compromise and continuing publication' of their personal information
* Out-of-pocket costs to try to prevent identify theft and fraud
* Delay in receiving tax refunds
People with access to the stolen information could use it to access patients' bank accounts, hack online accounts and commit identify fraud to open bank accounts without the patients knowing.
With a recent increase in the number of cyber attacks and data breaches — which hospitals are a popular target for — FHH should've known of the risk of a data breach and been prepared to stop one, the lawsuit said.
The suit also assumes that the compromised data has been or will soon be published to the Dark Web.
The lawsuit also claims that FHH violated federal laws restricting the release of medical information, as well as intentionally deceived patients by suppressing the fact its data systems were vulnerable to attacks and that the company didn't comply with consumer protection regulations.
If FHH had told patients its data systems weren't secure, the company 'would have been unable to continue in business and it would have been forced to adopt reasonable data security measures and comply with the law,' the complaint said.
The suit alleges FHH 'acted intentionally, knowingly, maliciously, and recklessly disregarded' patients' rights.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Health Line
a day ago
- Health Line
Can You Lose Medicare Coverage?
Medicare coverage is a lifelong benefit for individuals who meet eligibility criteria. However, there are certain situations where a person may have their coverage canceled. To be eligible for Medicare, the federal health insurance program for older adults in the United States, you need to be 65 years of age or older. If you're younger than 65 years old, you may qualify for Medicare if you: have disability and collect Social Security Disability Insurance have end stage renal disease (ESRD) have amyotrophic lateral sclerosis (ALS) If you meet the eligibility requirements for Medicare, you have a right to coverage for the rest of your life. However, it's possible for your coverage to be canceled or discontinued. In this article, we discuss when this might occur and how to reenroll. Why might you lose Medicare coverage? A person may lose their Medicare coverage if they: stop paying their plan's premiums move out of their plan's service area no longer meet the eligibility criteria for the plan Nonpayment of Medicare premiums If you stop paying your monthly premiums, Medicare may terminate your coverage. Individuals enrolled in Original Medicare may have premium payments for Part A and Part B. Generally, there is a grace period of a couple of months after a person stops paying their premium. During this time, you can get caught up on your payments. However, if you don't resume them, Medicare will disenroll you from your coverage. If you're enrolled in a Medicare Advantage (Part C) or Part D plan, you'll also need to continue paying your monthly premiums or risk termination of your coverage. Moving out of a plan's service area If you move your permanent residence outside of your plan's service area, it may affect your coverage. Original Medicare coverage works anywhere in the United States. If you move abroad, you can stay enrolled in Medicare, but it won't cover any healthcare services you receive. Likewise, if you're incarcerated, you can keep your Original Medicare coverage, but it won't be applied toward any of your healthcare costs, which will be covered by the penal institution. Medicare Advantage plans work a bit differently. These plans have regional service areas, and your home address determines which plans you're eligible for. If you move out of your county or state, it's possible that you'll no longer be in your plan's service area. If you have a Medicare Advantage plan and become incarcerated, the plan will consider you outside its service area and disenroll you. If this happens, you may be disenrolled from the plan. No longer meeting eligibility criteria If you're eligible for Social Security Disability Insurance (SSDI), you're also eligible for Medicare. Eligibility involves having a condition that: prevents you from working at the substantial gainful activity (SGA) level prevents you from working at the same level you once did is expected to last for at least a year or be fatal If you no longer meet the eligibility requirements for disability with the Social Security Administration, and you're younger than 65 years old, your Medicare coverage may be discontinued. However, if you have a qualifying disability but end up returning to work, you won't automatically lose your Medicare coverage, provided your disability persists. If you qualify for Medicare due to ESRD, your Medicare coverage will end 12 months after you stop receiving dialysis and 36 months after a successful kidney transplant. Depending on why you lost Medicare coverage, you can likely reinstate it. If you are disenrolled from Original Medicare, a Medicare Advantage plan, or a Part D plan due to nonpayment of the plan's premium, you'll have to wait until the Medicare open enrollment period to sign back up. However, if you go without Medicare coverage for an extended time, you may be responsible for paying late enrollment penalties after you do enroll. People who lost coverage due to leaving their plan's service area may be able to avoid late enrollment penalties by qualifying for a special enrollment period (SEP). SEPs allow people to enroll in coverage outside of traditional enrollment periods. If you have questions about reenrolling in Medicare after losing coverage, consider speaking with a Medicare representative about your situation or contacting your local State Health Insurance Assistance Program (SHIP). The information on this website may assist you in making personal decisions about insurance, but it is not intended to provide advice regarding the purchase or use of any insurance or insurance products. Healthline Media does not transact the business of insurance in any manner and is not licensed as an insurance company or producer in any U.S. jurisdiction. Healthline Media does not recommend or endorse any third parties that may transact the business of insurance.
Newsweek
a day ago
- Newsweek
Social Security Announces Major Change
Based on facts, either observed and verified firsthand by the reporter, or reported and verified from knowledgeable sources. Newsweek AI is in beta. Translations may contain inaccuracies—please refer to the original content. The Social Security Administration announced that it has added 13 conditions to its Compassionate Allowances (CAL) list on Monday. The added conditions aim to accelerate disability determinations for people with serious medical conditions, the agency said in a press release. Why It Matters The CAL initiative was designed to fast-track claims for applicants whose diagnoses clearly met Social Security's statutory standard for disability. More than 1.1 million applicants have been approved through the accelerated pathway since CAL began, according to the SSA press release. What To Know The expansion increased the total number of conditions on the CAL list to 300, which the SSA said would help the agency reach decisions more quickly for applicants with specific, severe diseases and conditions. The 13 conditions added in the Monday announcement include: Au-Kline Syndrome Bilateral Anophthalmia Carey-Fineman-Ziter Syndrome Harlequin Ichthyosis – Child Hematopoietic Stem Cell Transplantation LMNA-related Congenital Muscular Dystrophy Progressive Muscular Atrophy Pulmonary Amyloidosis – AL Type Rasmussen Encephalitis Thymic Carcinoma Turnpenny-Fry Syndrome WHO Grade III Meningiomas Zhu-Tokita-Takenouchi-Kim Syndrome According to the SSA, when applicants submit medical evidence indicating a CAL condition, the agency can identify and prioritize those claims using advanced tools. The CAL list was first introduced to reduce waiting times for applicants with clearly disabling conditions, and the SSA said the program remains fully policy-compliant while speeding determinations for eligible claimants. File photo of a Social Security Administration office in Washington, D.C. File photo of a Social Security Administration office in Washington, D.C. SAUL LOEB/AFP via Getty Images What People Are Saying SSA Commissioner Frank Bisignano, in a statement: "We are constantly looking for ways to improve our disability programs and serve the public more effectively. By adding these 13 conditions to the Compassionate Allowances list, we are helping more people with devastating diagnoses to quickly receive the support they need. This is part of our broader commitment to making the disability determination process as responsive and compassionate as possible." Alex Beene, a financial literacy instructor for the University of Tennessee at Martin, told Newsweek: "This is certainly welcome news for Americans who have any of the 13 added conditions to the list of those that now qualify for expedited consideration under the Compassionate Allowances List the administration provides. For some disability benefits under SSA, wait times can be lengthy in order for the administration to verify the potential beneficiary's condition and determine the next steps." Kevin Thompson, the CEO of 9i Capital Group and the host of the 9innings podcast, told Newsweek: "While claims still have to go through the traditional process, the agency is now using advanced technology to speed things up. If you're diagnosed with something on the Compassionate Allowances list, your claim could be processed much faster." What Happens Next The SSA encourages applicants to apply online at if they believe they have a CAL condition. "Long term, this could mean fewer delays and less financial strain for those facing serious medical conditions, but it also puts pressure on Social Security to keep up with technology and ensure the system remains fair and accurate," Thompson said.
Miami Herald
3 days ago
- Miami Herald
In letter, US senators admonish UnitedHealth after second major cyberattack in a year
Another major computer breach involving UnitedHealth Group has prompted two U.S. senators this week to query the health care giant about the adequacy of its cyber defenses. Episource, a UnitedHealth subsidiary, had its systems hacked last winter, exposing the data of 5.4 million people. The cyberattack appears to be the second-largest U.S. health care hack this year and follows a record-breaking breach in February 2024 of another United subsidiary, Change Healthcare. The Change cyberattack is regarded as the largest ever U.S. health care hack. It affected the data of 190 million people - about half the country's population. "The recently reported hack of Episource, a subsidiary of UnitedHealth Group (UHG), raises significant questions about UHG's efforts to safeguard patient information," Sen. Bill Cassidy, R-La., and Sen. Maggie Hassan, D-N.H., wrote Monday to UnitedHealth CEO Stephen Hemsley. "We have seen the recent threat that hostile actors, including Iran may pose on health care entities and UHG's repeated failures to protect against such attacks jeopardizes patient health." The senators asked UnitedHealth to respond by Aug. 18. In a statement, the company said: "We are in receipt of the senators' letter and look forward to providing them the information they requested." Eden Prairie-based UnitedHealth is one the nation's largest companies and the biggest U.S. health insurer. Episource, like Change Healthcare, is part of the company's Optum group, which runs clinics, manages pharmacy benefits and provides other services to health care companies. California-based Episource specializes in health care technology and data services. Its customers include medical providers and health care plans. Episource said in a statement that it found "unusual activity in its computer systems" on Feb. 6. An investigation found that a "cybercriminal was able to see and take copies of some data" between Jan. 27 and Feb. 6. The breach didn't affect all of Episource's customers. Data that may have been compromised included contact information - names, addresses, phone numbers - and health insurance information such as "Medicaid-Medicare government payor ID numbers." Hackers also accessed health data – diagnoses, test results, medicines, treatment records – and to a limited extent, Social Security numbers, according to Episource. After completing its investigation, the company said it started notifying customers about the breach on April 23. Episource reported the hack to the U.S. Department of Health and Human Service on June 6, saying it affected 5.4 million people, according to the department's website. At the time, Episource said it was unaware of any misuse of the exposed data. In their letter to Hemsley, Hassan and Cassidy asked UnitedHealth for more information about the Episource hack and for updates on the company's handling of the Change Healthcare breach. Change Healthcare shut down its computer systems in February 2024 to contain the cyber debacle, throwing a wrench into the nation's health care system. When the hack hit, Change Healthcare processed a large share of all health care claims and payments in the U.S. - roughly 15 billion transactions annually. UnitedHealth's then-CEO Andrew Witty was compelled to testify before Congress in May 2024 about the breach. The hack has produced a storm of litigation, too, as heath care companies seek compensation from UnitedHealth for millions of dollars of alleged losses. More than 70 separate lawsuits against Change Healthcare have been consolidated in a multidistrict litigation case in federal court in Minnesota. Such cases are used in the federal court system for complex legal matters involving many separate but similar claims. Copyright (C) 2025, Tribune Content Agency, LLC. Portions copyrighted by the respective providers.
