A class-action lawsuit has been filed against San Juan Regional Medical Center located in Farmington, New Mexico over a reported data breach in June 2021. Based on the breach investigation, an unauthorized person acquired access to its system and exfiltrated files that contain sensitive patient information from September 7, 2020, to September 8, 2020.
The data breach report was at first submitted to the HHS’ Office for Civil Rights as impacting 500 people, with San Juan Regional Medical Center stating back then that no less than 500 people were impacted. When the total number of people impacted by a security breach is unknown, breach reports could be sent to OCR and update the breach report as soon as more information is available. The breach investigation afterward affirmed the potential theft of protected health information (PHI) of 68,792 people as a result of the attack.
Although data theft was affirmed, the hospital did not find any proof that indicates the misuse of any patient’s PHI, and persons who had their Social Security number compromised were provided free credit monitoring and identity theft protection services for one year.
On October 7, 2021, the lawsuit was submitted on behalf of Jeremy Henderson and all the patients of San Juan Regional Medical Center who were impacted by the data breach. The lawsuit states that San Juan Regional Medical Center was negligent in handling patient information, which led to the exposure of sensitive data and theft by hackers. The lawsuit additionally states the hospital did not carry out proper safety measures to secure patient information, which violates the Health Insurance Portability and Accountability (HIPAA) Act.
The lawsuit likewise brings up the issue of the amount of time for San Juan Regional Medical Center to send notifications. Henderson stated he was advised concerning the breach on September 13, 2021, over one year after the theft of his PHI.
The lawsuit claims the plaintiff and class members are confronted with a significant risk of identity theft and fraud due to the theft of their PHI. They had to spend time and effort keeping track of their accounts and statements and undertaking other measures to secure themselves against identity theft and fraud. One year of credit monitoring and identity theft protection services is not enough. The lawsuit wants unspecified compensation.