A lawsuit filed against an American healthcare provider over a 2020 data breach has been allowed to proceed, but only for one patient.
The patient, Stephen Motkowicz, claims that his surgery was canceled as a result of a ransomware attack and subsequent data breach at Universal Health Services (UHS).
UHS employs around 90,000 people at the approximately 400 care centers and hospitals it operates in the United Kingdom, Puerto Rico, and the United States.
Sensitive data belonging to UHS was exfiltrated in September last year when the company was targeted by the Ryuk ransomware gang.
All UHS sites in Puerto Rico and the US were affected by the cyber-attack, which caused the company’s IT systems to go offline for a month. Some scheduled appointments were postponed as a result.
The Fortune 500 healthcare organization said in March that the attack had cost it an estimated $67m in downtime and related expenses.
The law firm Morgan & Morgan filed a lawsuit in the US District Court, Eastern District of Pennsylvania against UHS on behalf of three patients who accused the healthcare company of negligence, breach of implied contract, breach of fiduciary duty, and breach of confidence.
Claims made by two of the plaintiffs who said that the data breach had made them vulnerable to fraud and identity theft were dismissed by US District Judge Gerald McHugh as too speculative in an opinion filed Monday.
However, McHugh adjudged that Motkowicz had sufficient grievance to proceed. When Motkowicz’s surgery was canceled because of the attack, he was forced to take additional time off work. This caused him to lose his health insurance through his employer, with the result that he had to purchase an insurance policy at a higher price.
Referring to the two claimants whose claims he dismissed, McHugh said: “A court is still left to speculate . . . whether the hackers acquired plaintiffs’ (private health information) in a form that would allow them to make unauthorized transactions in their names, as well as whether plaintiffs are also intended targets of the hackers’ future criminal acts.”
Of Motkowicz, McHugh said: “Plaintiff’s injury is not speculative, as his financial expenditures allegedly occurred in response to the data breach and the corresponding cancellation of his surgery.”