Morgan & Morgan filed a lawsuit against Tampa General Hospital (TGH) on Monday on behalf of three victims of a data breach that occurred in May, which the hospital described as a "cybersecurity event."
On July 19, the hospital announced that an unauthorized third party accessed some patient information, impacting 1.2 million people. According to TGH, some of the information accessed may have included names, addresses, phone numbers, dates of birth, Social Security numbers, health insurance information, medical record numbers, patient account numbers, dates of service, and limited treatment information.
The lawsuit claims that the details of an investigation that determined when "unusual activity” began in its computer systems are "shrouded in secrecy."
The hospital originally noticed the activity in its computer systems on May 31, but a subsequent investigation by a "third-party forensic firm" determined that the activity started earlier on May 12.
The suit claims TGH worsened its patients' suffering by failing to notify them about the data breach until more than two months after it had initially occurred. According to the lawsuit, the patients affected had no reason to protect themselves against identity theft and fraud while others had their information and could misuse it.
The hospital has reported the event to the FBI and provided them with information to support its investigation.
The lawsuit referenced a letter that Florida Sen. Rick Scott wrote to the FBI urging its director, Christopher Wray, to take immediate action and “prioritize the FBI’s investigation” because “hackers were nonetheless able to access files containing sensitive personal identifying information that could be used for further criminal activity if the individuals are not quickly apprehended by [the FBI]."
A press release said one of the victims in the lawsuit has already suffered identity theft since the breach occurred, and another is a retired FBI agent.
Morgan & Morgan attorneys John Morgan and Ryan McGee issued the following statement:
“Our clients’ allegations in this case paint a picture of Tampa General Hospital’s cavalier attitude toward cybersecurity and patient privacy. This is not the first time Tampa General Hospital has allegedly failed to protect its patients’ personal data – this data breach follows a 2014 breach. It is our hope that this lawsuit will not only secure justice and accountability for the patients whose privacy and peace of mind have been irrevocably violated, but also will spur Tampa General Hospital to take additional steps to protect their patients' privacy in a manner appropriate for the current climate of cyberattacks.”
Read the full lawsuit below:
TGH Data Breach Complaint - Filed Version 8.4.23 by ABC Action News on Scribd