Bangor man sues hospital, Covenant Health over data breach

Yahoo

a day ago

Jun. 11—A Bangor man has filed a class-action lawsuit against St. Joseph Hospital and its owner, Covenant Health, over a recent data breach he says compromised confidential patient information.
In a complaint filed Monday in Penobscot County Superior Court, Michael McClain says he is suing on behalf of himself and others whose sensitive private information was impacted by a data breach in May.
Covenant Health — the nonprofit owner of St. Joseph Hospital, St. Mary's Health System, St. Andre Health Care in Biddeford, and nursing homes in Lewiston and Bangor — disconnected from all of its hospitals' data systems on May 26 because of a "cyber incident" that it said was initiated by an outside group.
A spokesperson for Covenant said shortly after the incident that the Catholic organization was working with outside parties to determine what happened and to get its computer systems restored.
The lawsuit says Covenant and St. Joseph failed to properly secure private information that was entrusted to them. Because of the breach, access to documents systems, online patient portals and patient services were disrupted, according to the lawsuit.
"Unexpected connectivity issues linked to a cyberattack on hospitals and medical facilities serves as a strong indicator that private information stored on the breaching entity's IT network was likely compromised because of the cyberattack," the complaint says.
Karen Sullivan, a spokesperson for Covenant, said Wednesday that the organization is aware of the filing but does not comment on pending litigation.
The lawsuit alleges that Covenant failed to implement and maintain reasonable network safeguards against threats, maintain data retention policies, train staff on data security and comply with industry-standard data security practices. It also says Covenant did not warn patients about its inadequate data security practices or encrypt private information, and that the organization failed to recognize that its networks had been compromised.
The lawsuit says the plaintiff's and class members' identities are at risk because of Covenant's "negligent conduct" and is "now in the hands of data thieves."
"As a result of the data breach, plaintiff and class members are now at a current, imminent, and ongoing risk of fraud and identity theft. Plaintiff and class members must now and for years into the future closely monitor their medical and financial accounts to guard against identity theft," the lawsuit reads.
The lawsuit claims that impacted patients have incurred financial costs to mitigate the risk of identity theft, have experienced delays in experiencing medical care, and are at a continued risk for further breaches as long as Covenant fails to undertake adequate steps to protect private information.
The plaintiff is seeking compensatory damages, reimbursement for out-of-pocket costs and injunctive relief, including improvements to the system's data security systems, annual audits and long-term credit monitoring. A jury trial has been requested.
The plaintiffs are being represented by Portland law firm Murray, Plumb & Murray. A reporter's calls and emails seeking comment Wednesday afternoon were not returned.
Copy the Story Link
We believe it's important to offer commenting on certain stories as a benefit to our readers. At its best, our comments sections can be a productive platform for readers to engage with our journalism, offer thoughts on coverage and issues, and drive conversation in a respectful, solutions-based way. It's a form of open discourse that can be useful to our community, public officials, journalists and others.
We do not enable comments on everything — exceptions include most crime stories, and coverage involving personal tragedy or sensitive issues that invite personal attacks instead of thoughtful discussion.
You can read more here about our commenting policy and terms of use. More information is also found on our FAQs.
Show less