In late July, the Tampa General Hospital (TGH), a non-profit research and academic-based medical center located in the heart of the coastal Florida city, posted an updated notice to its website, announcing to patients that the facility was recently subjected to a massive cyberattack. The data breach allegedly leaked the personal information of roughly 1.2 million TGH patients and stated that an unauthorized and unidentified third party carried out the cyberattack. As a result, the responsible party accessed patients' sensitive information, including full names, birth dates, Social Security numbers, treatment records, patient account numbers and various Health Insurance Portability and Accountability Act (HIPAA)-protected medical records. In the following weeks, TGH representatives launched a full-scale investigation in conjunction with the Federal Bureau of Investigation (FBI) and local law enforcement, which determined that the data breach occurred between May 12 and May 31. All 1.2 million patients affected were subsequently notified two months after the initial breach.
On August 7, Orlando-based law firm Morgan & Morgan filed class action claims against TGH on behalf of only three victims affected by last month's data breach. According to the plaintiffs involved, TGH failed to secure and safeguard their personal medical data and further exacerbated the issue by not notifying patients until the end of July, well over two months after the initial breach. Additionally, the lawsuit states that TGH was utterly unaware of the data breach until May 31, allowing the hackers that carried out the cyberattack roughly three weeks to gather patient information and remain fully undetected. The plaintiffs, who are choosing to stay anonymous due to the data breach's severity, include a retired FBI agent and an individual who had a past experience with online identity theft.
"Our clients' allegations in this case paint a picture of Tampa General Hospital's cavalier attitude toward cybersecurity and patient privacy. This is not the first time Tampa General Hospital has allegedly failed to protect its patients' personal data—this data breach follows a 2014 breach. It is our hope that this lawsuit will not only secure justice and accountability for the patients whose privacy and peace of mind have been irrevocably violated but also will spur Tampa General Hospital to take additional steps to protect their patients' privacy in a manner appropriate for the current climate of cyber-attacks,” stated John Morgan and Ryan McGee, the Morgan & Morgan attorneys assigned to the case, as reported originally by Infosecurity Magazine.
The standing lawsuit against TGH accuses the facility of violating the Florida Deceptive and Unfair Trade Practices Act and includes allegations of invasion of privacy, unjust enrichment, breach of confidence, fiduciary duty and contract claims. According to their legal counsel, the plaintiffs are seeking relief in the form of restitution, injunctive relief and significant monetary damages, which remain unspecified at this time.