Universal Health Services (UHS) is facing a lawsuit associated with a 2020 data breach; but, the lawsuit proceeded only for one of the patients identified on the lawsuit.
UHS manages approximately 400 hospitals and care centers throughout the United Kingdom and the United States. In September 2020, UHS experienced a ransomware attack that resulted in the exfiltration of sensitive data. The Ryuk ransomware gang issued threats to the victim that it will release the stolen information on a leak website in case no ransom is paid, though the UHS investigators did not find any proof of data misuse.
The attack impacted all 400 UHS care websites and prompted considerable disruption, as IT systems were only restored on the internet one month after the attack happened. UHS was compelled to delay a number of scheduled consultations due to the attack.
The law agency Morgan & Morgan filed a lawsuit in the U.S. District Court, Eastern District of Pennsylvania naming three patients as plaintiffs – Graham v. Universal Health Service Inc. The lawsuit alleged negligence, breach of fiduciary duty, breach of implied contract, and breach of confidence. Two plaintiffs wanted compensation for the compromise of sensitive information, which they asserted put them in greater danger of identity theft and fraud.
As what oftentimes happens in data breach lawsuits, the two plaintiffs’ – Barry Graham and Angela Morgan – claims were considered to be very speculative and the allegation of increased risk of identity theft and fraud lacked standing as it wasn’t tantamount to harm. The plaintiffs failed to present proof to validate their claim, with U.S. District Judge Gerald McHugh noticing that in instances of information theft in ransomware attacks, the theft of information is usually used for extorting payment and that the courts can just predict whether the form of the stolen information would permit the attackers to do illegal transactions under the names of the plaintiffs and if they would in fact become victims in future criminal activities by the attackers.
Plaintiff, Stephen Motkowicz’, claims were determined to be enough to make it through the motion to dismiss. Motkowicz’s appointment for a surgical procedure was delayed because of the attack. Motkowicz needed surgery to deal with a health condition and, because of the delay, he was compelled to get more time off work and eventually lost his medical insurance via his employer and was compelled to buy an insurance plan with a higher price.
Plaintiff’s injury isn’t speculative, since his financial expenses purportedly happened because of the data breach and the equivalent postponement of his surgical procedure. Although his claim was adequate to receive the motion to dismiss, Judge McHugh stated the theory of causation presented a considerable challenge, which must be assessed by means of more research to know whether it was adequate to have standing.