A proposed class-action lawsuit has been filed against Tampa General Hospital claiming negligence led to a May cyberattack that resulted in data theft affecting about 1.2 million patients.
The lawsuit, filed last week in Hillsborough County, alleges the breach was preventable and that the hospital “exacerbated the harm” by failing to notify those affected until “months” after the attack.
Morgan & Morgan, which is representing the three unnamed plaintiffs, said in a news release that one of its clients has suffered identity theft since the breach and another is a retired FBI agent.
The hospital says it discovered “unusual activity” on its systems on May 31, and an investigation determined the hack by a “criminal group” occurred between May 12 and May 30. The hospital said it reported the “cybersecurity event” to the FBI to investigate.
A review found the stolen patient data varied by individual. The hospital says its “may” have included names, addresses, phone numbers, dates of birth, Social Security numbers, health insurance information, medical record numbers, account numbers, dates of service and limited treatment information used for business operations.
The plaintiffs are remaining anonymous “due to the sensitive nature of the information,” according to the lawsuit. They are seeking damages, restitution, injunctive relief from Tampa General and the appointment of class representatives.
"Our clients' allegations in this case paint a picture of Tampa General Hospital's cavalier attitude toward cybersecurity and patient privacy. This is not the first time Tampa General Hospital has allegedly failed to protect its patients' personal data – this data breach follows a 2014 breach," Morgan & Morgan attorneys John Morgan and Ryan McGee said in a statement.
"It is our hope that this lawsuit will not only secure justice and accountability for the patients whose privacy and peace of mind have been irrevocably violated, but also will spur Tampa General Hospital to take additional steps to protect their patients' privacy in a manner appropriate for the current climate of cyber-attacks."
Patients who may have been affected have been receiving notification by mail. The hospital says complimentary credit monitoring and identity theft protection is available to patients whose Social Security numbers were involved.
