05-04-2025
Lawsuit alleges hospital intentionally hid weak data systems, failed to protect patient data
A lawsuit alleges Frederick Health Hospital intentionally omitted that its data systems were vulnerable to attacks, failed to protect patient data from cyber criminals and didn't properly notify those impacted by a ransomware attack on the hospital in January.
The lawsuit was filed on March 4 on behalf of two current patients, Ernest Farkas and Joseph Klingman, as well as any other patients affected by the ransomware attack.
Klingman declined to comment for this story. Farkas could not be reached for comment.
Raina Borrelli of Strauss Borrelli PLLC of Chicago, Illinois, an attorney representing the patients, declined to comment Wednesday on the lawsuit.
On Jan. 27, an unauthorized person accessed patients' personal data — which may have included names, Social Security numbers, birthdays, health insurance information and drivers' license numbers.
FHH on Feb. 6 began notifying people affected by the attack, according to the lawsuit.
The two patients named in the complaint have both experienced 'anxiety, sleep disruption, stress, fear, and frustration' due to a 'substantially increased risk of fraud, misuse, and identity theft,' the lawsuit says.
Although the total number of people impacted isn't known, the lawsuit alleges that over 100 people — potentially hundreds — were affected.
The complaint alleges that FHH failed to implement industry-standard cybersecurity measures and intentionally hid from patients that its data systems could be attacked and personal information could be accessed.
Due to FHH's 'unfair and deceptive acts and practices,' the lawsuit said, the patients affected will 'continue to suffer injury, ascertainable losses of money or property, and monetary and non-monetary damages, including from fraud and identity theft; time and expenses related to monitoring their financial accounts for fraudulent activity; an increased, imminent risk of fraud and identity theft; and loss of value' of their personal information.
FHH spokesperson Josh Faust said in a statement on March 28 that the hospital confirms it is the subject of a lawsuit related to the ransomware attack in January, but FHH can't comment on the specifics of ongoing legal proceedings.
FHH wants to 'assure our patients and the community that we take this matter seriously, and we are fully committed to resolving this issue responsibly and with integrity,' he said.
On March 28, FHH sent out letters to patients and staff who have been or may be impacted by the ransomware attack.
These letters include instructions of what people should do if they were affected by the attack. Tom Kleinhanzl, FHH's president and CEO, said FHH is offering people free identity theft protection and credit monitoring.
At the time the lawsuit was filed, it alleged, the hospital wasn't offering those services.
The complaint calls for a jury trial and asks for an unspecified monetary amount over $100,000 to be paid to the people affected.
FHH has until May 9 to respond.
Inadequate security measures, notices
Kleinhanzl said in an interview on March 27 that during the data breach, an unauthorized person accessed documents in a shared drive, which he described as an electronic storage closet for historical documents.
FHH's electronic medical records system, patient portal and emails were not accessed in the attack, but the company took its systems offline proactively.
The lawsuit said it is not known how long the unauthorized person had access to FHH's data network before the ransomware attack happened.
It also alleges that there are log-in credentials for Frederick Health employees on the 'Dark Web,' which cyber criminals may have used to access the company's systems if those credentials weren't reset.
The complaint alleges that FHH didn't adequately train its employees on cybersecurity and didn't have proper safeguards and security protocols in place to protect patients' personal and protected health data.
It also claims that because FHH waited to begin notifying people about the data breach, it deprived patients the earliest possible opportunity to start mitigating any suspicious activity or 'injuries' from their data being compromised.
Some of the damages the lawsuit claims people impacted by the attack may experience include:
* 'Compromise and continuing publication' of their personal information
* Out-of-pocket costs to try to prevent identify theft and fraud
* Delay in receiving tax refunds
People with access to the stolen information could use it to access patients' bank accounts, hack online accounts and commit identify fraud to open bank accounts without the patients knowing.
With a recent increase in the number of cyber attacks and data breaches — which hospitals are a popular target for — FHH should've known of the risk of a data breach and been prepared to stop one, the lawsuit said.
The suit also assumes that the compromised data has been or will soon be published to the Dark Web.
The lawsuit also claims that FHH violated federal laws restricting the release of medical information, as well as intentionally deceived patients by suppressing the fact its data systems were vulnerable to attacks and that the company didn't comply with consumer protection regulations.
If FHH had told patients its data systems weren't secure, the company 'would have been unable to continue in business and it would have been forced to adopt reasonable data security measures and comply with the law,' the complaint said.
The suit alleges FHH 'acted intentionally, knowingly, maliciously, and recklessly disregarded' patients' rights.
