Kettering Health hit with class-action lawsuit weeks after ransomware attack
After being hit by a ransomware attack last month that delayed healthcare delivery across its system, Kettering Health is now facing a class-action lawsuit from disgruntled patients, attorneys Michael Wright and Richard Schulte of Wright & Schulte announced on Monday.
In a press conference, the duo accused Kettering of negligence, failing to protect patients who needed immediate treatment for cancer and other serious illnesses while its network was down.
Wright & Schulte said patients were forced to miss scheduled chemotherapy and others could not get access to prescriptions. Now roughly a month after the incident, many are allegedly still experiencing delays.
The attorneys said more than 200 patients have reached out to their office, reporting various issues. Some have already signed onto the lawsuit, which was filed in a county court in Ohio. Added to the list of complaints, multiple patients allegedly told the law firm they were unable to access their medical records, while others fear their data has already been leaked.
Early on during the attack, Kettering admitted in a statement that it had received notices that patients were receiving scam phone calls from individuals posing as representatives of the health system, seeking payment for supposed overdue medical bills.
Kettering alerted the public in response, saying at the time it was not conducting any billing outreach. It would not confirm the spam was related to the cyberattack, citing a pending investigation.
However, patient data was apparently taken by hackers, as the cybercrime cell Interlock has taken credit, and posted a data trove from Kettering for sale on the dark web. The infamous group has been responsible for more than a dozen attacks against public and private entities in the last year alone.
According to cybersecurity firm Comparitech, which discovered the data leaked online, the trove was 941 GB in size and contained 732,490 files, spread across 20,418 folders, and included driver’s licenses, payment data and more, all from patients.
Plaintiffs in the lawsuit do not believe the health system did enough to secure the sensitive data.
“There’s quite a bit of sensitive information when they’ve got all your medical history,” Kerry Corthell, a patient, said during the press conference. “My primary concern is that they can use pieces of information on the dark web to create a scam that I might fall for because it seems so real and accurate.”
Further, the lawsuit contends Kettering has not been forthcoming about the specifics of the attack, given that details, such as the data trove on the dark web, ultimately had to be reported by members of the media.
To date, it is not known if the health system paid a ransom to the attackers, and the full scope of the breach has not been revealed. Health Exec reached out to Kettering for more details but never received a reply.
“They have a duty to communicate the nature of the breach, the type of data that was breached and what happened to it. They haven’t done that,” Richard Schulte said of the health systems response.
Local NBC affiliate WDTN has more on the pending litigation, which has yet to be reviewed by a judge. The outlet said the law firm encourages anyone who was affected by the cyberattack to consider signing onto the class-action lawsuit.
Kettering confirms recovery
In its latest update, Kettering confirmed its electronic health record was back online and it was actively connecting with patients to reschedule care.
The non-profit health system has nine hospitals and dozens of primary, specialty and acute care clinics in the greater Ohio region, all of which experienced an outage during the ransomware attack and subsequent recovery.
How Interlock gained access to the hospital’s network remains unknown.
Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.