Updated: Lawsuit alleges cybersecurity failures by hospital; Social Security numbers among compromised data
The lawsuit, filed March 4, also alleges Frederick Health "deprived [people] of the chance to mitigate their injuries" by failing to notify them of the data breach until Feb. 6 — 10 days after the attack on Jan. 27.
'Frederick Health can confirm that it is the subject of a suit pertaining to the cyber event that occurred earlier this year. While we cannot comment on the specifics of the ongoing legal proceedings at this time, we want to assure our patients and the community that we take this matter seriously, and we are fully committed to resolving this issue responsibly and with integrity," a statement by FHH spokesperson Josh Faust said on Friday. "Frederick Health and our legal team are cooperating with officials to review the claim. Our priority remains to positively impact the well-being of every individual in the community and to continue to protect and safeguard the security of our systems and the information we maintain.'
He declined to comment further.
On Jan. 27, FHH identified a ransomware attack. Tom Kleinhanzl, the hospital's president and CEO, said an unauthorized person gained access to and copied documents from a shared drive, which he described as an electronic storage closet for important historical information.
The documents contained information such as patients' names, Social Security numbers, birthdays and addresses.
He said FHH's electronic medical records system, patient portal and emails were not accessed in the attack. The hospital still took the rest of its systems offline proactively as a precaution.
The lawsuit was filed on behalf of two "customers" of Frederick Health, as well as any others affected by the ransomware attack, according to court documents.
Frederick Health has been unable to determine the full extent of the data breach, the suit alleges.
The stolen information is "one of the most valuable commodities on the criminal information black market," the suit says. The information's presence on the "dark web" could result in financial harm for Frederick Health customers, as well as their identities being stolen.
Frederick Health's failure to implement "reasonable and appropriate" cybersecurity measures violated federal consumer protection laws, the suit alleges.
The suit also alleges that Frederick Health "had notice and knew that its inadequate cybersecurity practices would cause injury" to the hospital's customers. Frederick Health deliberately omitted and suppressed the fact that it did not comply with regulations regarding consumer protection, the suit further alleges.
Frederick Health "would have been unable to continue in business and it would have been forced to adopt reasonable data security measures and comply with the law" had it disclosed its vulnerabilities to its customers, the suit alleges.
The suit calls for a jury trial and asks for unspecified monetary and other damages to be paid to those affected.
FHH sends letters
Frederick Health Hospital sent out letters Friday to patients and staff who have been or may be impacted by the ransomware attack.
Kleinhanzl said the letters include instructions for what people should do if they've been impacted. He also said FHH is offering these people free identity theft protection and credit monitoring.
Right after the attack happened, the hospital was diverting ambulances to take patients to other emergency departments.
For several weeks, staff members were using "downtime procedures" and recorded everything on paper since they couldn't use electronic systems.
FHH slowly brought its systems back online over several weeks, with its electronic medical records system being restored on Feb. 18. The hospital announced on March 4 that its patient portal was back up.
Kleinhanzl said he could not comment further on the unauthorized person, the investigation into the attack and what law enforcement agency is working with FHH due to active litigation.
The FBI told The Frederick News-Post on Feb. 4 that it can neither confirm nor deny it is investigating the ransomware attack at FHH.
Kleinhanzl said a "substantial number" of notification letters are being sent out to current and former patients and staff, but he declined to comment on how many letters were being delivered.
Due to the personal information that is in the shared drive, "that's why we felt compelled to be very broad in the distribution of this notification," he said.
He also said the hospital will continually evaluate and modify its security and privacy practices to protect people's information and still has extensive security measures in place.
"We take our role seriously, very seriously, in this community of doing everything we possibly can to protect information, and we want to make sure we're doing right by everyone we can to give an option of protection," Kleinhanzl said.
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Health Line
5 hours ago
- Health Line
Can You Lose Medicare Coverage?
Medicare coverage is a lifelong benefit for individuals who meet eligibility criteria. However, there are certain situations where a person may have their coverage canceled. To be eligible for Medicare, the federal health insurance program for older adults in the United States, you need to be 65 years of age or older. If you're younger than 65 years old, you may qualify for Medicare if you: have disability and collect Social Security Disability Insurance have end stage renal disease (ESRD) have amyotrophic lateral sclerosis (ALS) If you meet the eligibility requirements for Medicare, you have a right to coverage for the rest of your life. However, it's possible for your coverage to be canceled or discontinued. In this article, we discuss when this might occur and how to reenroll. Why might you lose Medicare coverage? A person may lose their Medicare coverage if they: stop paying their plan's premiums move out of their plan's service area no longer meet the eligibility criteria for the plan Nonpayment of Medicare premiums If you stop paying your monthly premiums, Medicare may terminate your coverage. Individuals enrolled in Original Medicare may have premium payments for Part A and Part B. Generally, there is a grace period of a couple of months after a person stops paying their premium. During this time, you can get caught up on your payments. However, if you don't resume them, Medicare will disenroll you from your coverage. If you're enrolled in a Medicare Advantage (Part C) or Part D plan, you'll also need to continue paying your monthly premiums or risk termination of your coverage. Moving out of a plan's service area If you move your permanent residence outside of your plan's service area, it may affect your coverage. Original Medicare coverage works anywhere in the United States. If you move abroad, you can stay enrolled in Medicare, but it won't cover any healthcare services you receive. Likewise, if you're incarcerated, you can keep your Original Medicare coverage, but it won't be applied toward any of your healthcare costs, which will be covered by the penal institution. Medicare Advantage plans work a bit differently. These plans have regional service areas, and your home address determines which plans you're eligible for. If you move out of your county or state, it's possible that you'll no longer be in your plan's service area. If you have a Medicare Advantage plan and become incarcerated, the plan will consider you outside its service area and disenroll you. If this happens, you may be disenrolled from the plan. No longer meeting eligibility criteria If you're eligible for Social Security Disability Insurance (SSDI), you're also eligible for Medicare. Eligibility involves having a condition that: prevents you from working at the substantial gainful activity (SGA) level prevents you from working at the same level you once did is expected to last for at least a year or be fatal If you no longer meet the eligibility requirements for disability with the Social Security Administration, and you're younger than 65 years old, your Medicare coverage may be discontinued. However, if you have a qualifying disability but end up returning to work, you won't automatically lose your Medicare coverage, provided your disability persists. If you qualify for Medicare due to ESRD, your Medicare coverage will end 12 months after you stop receiving dialysis and 36 months after a successful kidney transplant. Depending on why you lost Medicare coverage, you can likely reinstate it. If you are disenrolled from Original Medicare, a Medicare Advantage plan, or a Part D plan due to nonpayment of the plan's premium, you'll have to wait until the Medicare open enrollment period to sign back up. However, if you go without Medicare coverage for an extended time, you may be responsible for paying late enrollment penalties after you do enroll. People who lost coverage due to leaving their plan's service area may be able to avoid late enrollment penalties by qualifying for a special enrollment period (SEP). SEPs allow people to enroll in coverage outside of traditional enrollment periods. If you have questions about reenrolling in Medicare after losing coverage, consider speaking with a Medicare representative about your situation or contacting your local State Health Insurance Assistance Program (SHIP). The information on this website may assist you in making personal decisions about insurance, but it is not intended to provide advice regarding the purchase or use of any insurance or insurance products. Healthline Media does not transact the business of insurance in any manner and is not licensed as an insurance company or producer in any U.S. jurisdiction. Healthline Media does not recommend or endorse any third parties that may transact the business of insurance.
Newsweek
5 hours ago
- Newsweek
Social Security Announces Major Change
Based on facts, either observed and verified firsthand by the reporter, or reported and verified from knowledgeable sources. Newsweek AI is in beta. Translations may contain inaccuracies—please refer to the original content. The Social Security Administration announced that it has added 13 conditions to its Compassionate Allowances (CAL) list on Monday. The added conditions aim to accelerate disability determinations for people with serious medical conditions, the agency said in a press release. Why It Matters The CAL initiative was designed to fast-track claims for applicants whose diagnoses clearly met Social Security's statutory standard for disability. More than 1.1 million applicants have been approved through the accelerated pathway since CAL began, according to the SSA press release. What To Know The expansion increased the total number of conditions on the CAL list to 300, which the SSA said would help the agency reach decisions more quickly for applicants with specific, severe diseases and conditions. The 13 conditions added in the Monday announcement include: Au-Kline Syndrome Bilateral Anophthalmia Carey-Fineman-Ziter Syndrome Harlequin Ichthyosis – Child Hematopoietic Stem Cell Transplantation LMNA-related Congenital Muscular Dystrophy Progressive Muscular Atrophy Pulmonary Amyloidosis – AL Type Rasmussen Encephalitis Thymic Carcinoma Turnpenny-Fry Syndrome WHO Grade III Meningiomas Zhu-Tokita-Takenouchi-Kim Syndrome According to the SSA, when applicants submit medical evidence indicating a CAL condition, the agency can identify and prioritize those claims using advanced tools. The CAL list was first introduced to reduce waiting times for applicants with clearly disabling conditions, and the SSA said the program remains fully policy-compliant while speeding determinations for eligible claimants. File photo of a Social Security Administration office in Washington, D.C. File photo of a Social Security Administration office in Washington, D.C. SAUL LOEB/AFP via Getty Images What People Are Saying SSA Commissioner Frank Bisignano, in a statement: "We are constantly looking for ways to improve our disability programs and serve the public more effectively. By adding these 13 conditions to the Compassionate Allowances list, we are helping more people with devastating diagnoses to quickly receive the support they need. This is part of our broader commitment to making the disability determination process as responsive and compassionate as possible." Alex Beene, a financial literacy instructor for the University of Tennessee at Martin, told Newsweek: "This is certainly welcome news for Americans who have any of the 13 added conditions to the list of those that now qualify for expedited consideration under the Compassionate Allowances List the administration provides. For some disability benefits under SSA, wait times can be lengthy in order for the administration to verify the potential beneficiary's condition and determine the next steps." Kevin Thompson, the CEO of 9i Capital Group and the host of the 9innings podcast, told Newsweek: "While claims still have to go through the traditional process, the agency is now using advanced technology to speed things up. If you're diagnosed with something on the Compassionate Allowances list, your claim could be processed much faster." What Happens Next The SSA encourages applicants to apply online at if they believe they have a CAL condition. "Long term, this could mean fewer delays and less financial strain for those facing serious medical conditions, but it also puts pressure on Social Security to keep up with technology and ensure the system remains fair and accurate," Thompson said.
Miami Herald
3 days ago
- Miami Herald
In letter, US senators admonish UnitedHealth after second major cyberattack in a year
Another major computer breach involving UnitedHealth Group has prompted two U.S. senators this week to query the health care giant about the adequacy of its cyber defenses. Episource, a UnitedHealth subsidiary, had its systems hacked last winter, exposing the data of 5.4 million people. The cyberattack appears to be the second-largest U.S. health care hack this year and follows a record-breaking breach in February 2024 of another United subsidiary, Change Healthcare. The Change cyberattack is regarded as the largest ever U.S. health care hack. It affected the data of 190 million people - about half the country's population. "The recently reported hack of Episource, a subsidiary of UnitedHealth Group (UHG), raises significant questions about UHG's efforts to safeguard patient information," Sen. Bill Cassidy, R-La., and Sen. Maggie Hassan, D-N.H., wrote Monday to UnitedHealth CEO Stephen Hemsley. "We have seen the recent threat that hostile actors, including Iran may pose on health care entities and UHG's repeated failures to protect against such attacks jeopardizes patient health." The senators asked UnitedHealth to respond by Aug. 18. In a statement, the company said: "We are in receipt of the senators' letter and look forward to providing them the information they requested." Eden Prairie-based UnitedHealth is one the nation's largest companies and the biggest U.S. health insurer. Episource, like Change Healthcare, is part of the company's Optum group, which runs clinics, manages pharmacy benefits and provides other services to health care companies. California-based Episource specializes in health care technology and data services. Its customers include medical providers and health care plans. Episource said in a statement that it found "unusual activity in its computer systems" on Feb. 6. An investigation found that a "cybercriminal was able to see and take copies of some data" between Jan. 27 and Feb. 6. The breach didn't affect all of Episource's customers. Data that may have been compromised included contact information - names, addresses, phone numbers - and health insurance information such as "Medicaid-Medicare government payor ID numbers." Hackers also accessed health data – diagnoses, test results, medicines, treatment records – and to a limited extent, Social Security numbers, according to Episource. After completing its investigation, the company said it started notifying customers about the breach on April 23. Episource reported the hack to the U.S. Department of Health and Human Service on June 6, saying it affected 5.4 million people, according to the department's website. At the time, Episource said it was unaware of any misuse of the exposed data. In their letter to Hemsley, Hassan and Cassidy asked UnitedHealth for more information about the Episource hack and for updates on the company's handling of the Change Healthcare breach. Change Healthcare shut down its computer systems in February 2024 to contain the cyber debacle, throwing a wrench into the nation's health care system. When the hack hit, Change Healthcare processed a large share of all health care claims and payments in the U.S. - roughly 15 billion transactions annually. UnitedHealth's then-CEO Andrew Witty was compelled to testify before Congress in May 2024 about the breach. The hack has produced a storm of litigation, too, as heath care companies seek compensation from UnitedHealth for millions of dollars of alleged losses. More than 70 separate lawsuits against Change Healthcare have been consolidated in a multidistrict litigation case in federal court in Minnesota. Such cases are used in the federal court system for complex legal matters involving many separate but similar claims. Copyright (C) 2025, Tribune Content Agency, LLC. Portions copyrighted by the respective providers.
