Nashville-based HCA Healthcare (HCA) is a leading provider of healthcare services and one of the largest companies in the United States. According to its website, it operates 180 hospitals and approximately 2,300 ambulatory sites of care across twenty states in both the United States and the United Kingdom. 

Despite its reputable standing, the prominent healthcare provider is currently facing allegations related to a data security incident that occurred on July 5, 2023. The cyberattack resulted in the exposure of sensitive information belonging to over 11 million individuals. The data compromised in this incident allegedly included protected health information and personally identifiable information.

On July 10, 2023, in response to the data security incident, HCA posted a notice on its website, informing the public about the situation. According to the notice, an unknown and unauthorized party gained access to certain patient information and made it available on an online forum. HCA asserts that the exposed data was primarily used for email messages, such as appointment reminders and healthcare program education. The company emphasized that there was no disruption to patient care and services or day-to-day operations resulting from the incident. Furthermore, HCA established it did not believe the data breach would have a significant impact on its business, operations, or financial results.

On July 24, 2023, Ebony Hayes, on behalf of the class of affected individuals, filed a data breach class action in the United States District Court for the Middle District of Tennessee. The class claims that HCA failed to implement adequate measures to secure and protect their private information. Among the allegations are claims of non-compliance with industry standards concerning data security and accusations of untimely notification about the breach.

In the Complaint, several legal claims are raised against HCA, including negligence, breach of implied contract, and breach of fiduciary duty. The crux of the plaintiffs’ argument revolves around HCA’s alleged lack of appropriate security measures, which they believe allowed unauthorized access to their private information, causing risks of identity theft and fraud.

Ebony Hayes and the affected class seek equitable relief, compelling HCA to improve its cybersecurity and disclose the type of compromised information. Furthermore, they demand damages, attorneys’ fees, and other relief deemed appropriate by the Court. Morgan & Morgan represents the plaintiffs in this case. Counsel has not yet appeared for the defendant. This is the second HCA data breach class action filed by a patient in the same court over the span of one week, with the first filed on July 19. 

Cyber breaches, especially in the healthcare industry, will continue to plague companies of all sizes, which is why Chilivis Grubman attorneys routinely discuss cyber-related developments.  In May 2022, CG attorneys discussed the ARcare data breach that potentially affected over 345,000 individuals.  In January 2022, CG attorneys discussed the HIPAA Journal’s December 2021 Healthcare Data Breach Report, which indicated there were 70 more data breaches in the healthcare industry in 2021 than in 2020. In June 2022, CG attorneys discussed the Shields Health Care Group data breach impacting 50 Facilities and 2 million individuals.

Cyber-related incidents are showing no signs of a decline.  As such, companies in all industries, especially those handling and storing sensitive personal data, should try to safeguard data, ensure proper employee training, and develop a breach response process that is tested, rehearsed, and updated. 

The attorneys at Chilivis Grubman represent clients of all sizes in connection with data breaches and cybersecurity matters, including regulatory obligations and litigation arising therefrom.  If you need assistance with such a matter, please contact us today.