Lawsuit Claims ChristianaCare Failed to Safeguard Patient Data After Breach

Delaware-based ChristianaCare and its service provider are facing a class action lawsuit over allegations of inadequate data protection after an unauthorised network breach.

 

Last year, in a data security incident notice posted on its website, ChristianaCare said that in April, Oracle Health notified the organisation of a breach in which threat actors gained unauthorised access to legacy Cerner systems on January 22 and stole confidential data belonging to the healthcare provider.

 

Oracle Health, formerly known as Cerner, is a US-based multinational healthcare software provider specialiSing in health information technology platforms and services, including Electronic Health Records (EHR) and business operations systems for hospitals and healthcare organisations.

 

Following an investigation, Oracle Health determined that the compromised data included individuals’ names, Social Security numbers, and details contained in patient medical records, such as medical record numbers, physicians, diagnoses, medications, test results, images, and treatment information.

 

According to reports, approximately 30,000 individuals were impacted by the incident.

 

Shortly after affected individuals were notified, two plaintiffs—Chase Stout of Newark and Lisa Addi of North East, Maryland—filed a class action lawsuit alleging that ChristianaCare and Oracle Health were negligent in failing to adequately secure their network against unauthorised access.

 

The plaintiffs added that Oracle failed to notify affected patients and did not properly secure the data, arguing that the breach could have been prevented.

 

The plaintiffs are seeking restitution and damages, and are requesting that the court bar the hospital and Oracle from engaging in further deceptive practices or making misleading statements regarding the data breach and the compromised sensitive information.

 

“Due to intentionally obfuscating language and a lack of formal notification, it is unclear how long it took defendants to discover that they had been subject to a breach and how long cybercriminals had unfettered access to plaintiffs’ and the class’s most sensitive information,” the complaint said.