‘Lifetime risk:’ Tacoma health system accused of not securing patient data in breach
Virginia Mason Franciscan Health, a large Tacoma-based healthcare provider whose 10 area hospitals include St. Joseph Medical Center, is being accused of failing to safeguard patient information compromised in a data breach earlier this year.
The breach, reported in October, occurred through a company called Welltok, Inc., which was in possession of the personal data because it operates an online contact-management platform that shares information with patients on behalf of VMFH and a slew of other healthcare providers.
A lawsuit filed Dec. 12 in Pierce County Superior Court, which seeks to be certified as a class action, held the healthcare provider to account. It alleged that VMFH didn’t properly secure the sensitive information of thousands — including clinical data, patient ID numbers and health insurance information — that was disclosed to unauthorized third parties between May 30 and May 31.
“Virginia Mason is responsible for implementing adequate security protocols to thwart cyber thieves; they are likewise responsible for ensuring their agents and contractors take the same precautions,” attorney Tim Emery, who is representing the plaintiff in the lawsuit, said in a statement.
A communications firm that assists with media inquiries to VMFH said the healthcare provider did not comment on pending litigation and provided a statement attributed to VMFH.
“Virginia Mason Franciscan Health is committed to providing its patients and communities with exceptional care,” the statement said.
In an online notice dated Oct. 24, linked in a top banner on VMFH’s website, Welltok said that an investigation determined in August that software vulnerabilities in a file-transfer tool, previously publicized by the tool’s developer, had been exploited by “an unauthorized actor.”
“Welltok takes this incident very seriously and is providing information about the incident, our response to it, and resources available to individuals to help protect their information, should they feel it appropriate to do so,” the company said in the notice.
Welltok added that it had no evidence that any personal data had been misused.
Effects of the breach
The lawsuit, brought by Meghan McClendon, a Pierce County resident who was recently a VMFH patient, claimed that she had received a “substantial uptick” in spam calls and emails attempting to obtain further personal details from her.
McClendon also spent time trying to mitigate the breach’s impact, including researching it, reviewing credit reports and financial account statements for any indications of fraud, and looking into credit monitoring and identity-theft protection services offered by VMFH as a result of the breach, according to the lawsuit.
“Plaintiff and Class Members now face a lifetime risk of identity theft and the sharing and detrimental use of their Personal Information,” the lawsuit reads.
The legal filing also criticized the timing of when patients were notified. Welltok said it was alerted on July 26 to an alleged compromise of its file-transfer tool’s server but did not find any indication that it was warranted. The company continued to investigate, employing third-party cybersecurity specialists, and discovered the breach on Aug. 11. It then learned whose data might have been affected roughly two weeks later.
Welltok didn’t notify McClendon until Dec. 1, according to photos of a letter from the company to McClendon, which were attached in the lawsuit.
The letter said that VMFH “learned the scope of the data present on the impacted server” on Nov. 7 and that both the company and healthcare provider had since been coordinating efforts to alert affected people.
“Virginia Mason patients relied on their hospital to protect their financial and medical information,” Emery said. “No one wants to find out through an auto-generated letter from a company they’ve never heard of that their medical provider lost their sensitive financial and health information to criminals months ago.”
VMFH is accused of negligence, breach of implied contract, invasion of privacy and violation of multiple laws, including the Washington Consumer Protection Act and the state’s data breach disclosure law, which requires timely disclosure to individuals affected by certain-sized data breaches and to the state attorney general.
The incident couldn’t be found Friday on the state Attorney General Office’s data breach notification page, which tracks incidents that are reported to it.
The suit seeks unspecified damages and penalties, a lifetime of credit-monitoring services, attorney fees and an injunction that would require VMFH to improve security measures and purge McClendon’s personal information, unless it can justify retaining that data to the court. The injunction that personal data be destroyed would apply for class members, too, if the lawsuit is ultimately certified as a class-action case.
Emery is also representing a plaintiff in a lawsuit filed last month involving a major data breach at Pierce College. That suit seeks to be class action as well. Emery said that plaintiff motions for class-action certification rarely occur within the first six months after complex privacy and data cases are filed.
A year ago, VMFH’s parent company, Chicago-based CommonSpirit Health, was sued in federal court in Illinois over a disruptive ransomware attack affecting more than 620,000 patients. The proposed class-action case was dismissed in October due to a lack of jurisdictional standing, court records show. A second suit, filed in the same court in January, was ongoing.
