Ascension is facing the first class-action complaints related to a ransomware attack it reported last week that shut down systems and continues to disrupt operations.
The two complaints — one filed Sunday by patient Katherine Negron in the U.S. District Court for the Northern District of Illinois and another filed Monday by patient Ana Marie Turner in the U.S. District Court for the Western District of Texas — allege that Ascension failed to properly safeguard patients' private information and put them at risk of fraud or identity theft.
Related: How the healthcare sector is handling cybersecurity training
The complaints, both brought by the Chicago-based Law Offices of T.J. Jesky, are seeking damages and injunctive and declaratory relief. The Illinois suit requests a jury trial.
"The data breach was a direct result of [Ascension's] failure to implement adequate and reasonable cybersecurity procedures and protocols," the Illinois complaint states. "[Ascension] knew or should have known of the inherent risks in collecting and storing the private information of [patients], the critical importance of providing adequate security of that private information, and the necessity for encrypting private information stored on [Ascension's] systems."
An Ascension spokesperson said Wednesday the nonprofit health system is conducting "a thorough investigation," and will notify and support affected individuals if it determines sensitive data was accessed.
St. Louis-based Ascension said May 8 it had detected "unusual activity" on its technology network and contacted authorities, confirming it as a ransomware attack a couple days later. System outages have forced Ascension to cancel some elective procedures and divert emergency cases to other facilities. Clinicians are manually updating health records, ordering tests and dispensing medications.
Ascension operates 140 hospitals across 19 states and the District of Columbia. A webpage giving general updates on the cyberattack is also providing information relevant for individual states.
Ascension is one of many healthcare organizations that have fallen victim to cyberattacks as the industry's growing reliance on technology has made it more vulnerable. Kaiser Foundation Health Plan reported a breach in April affecting 13.4 million people. UnitedHealth Group-owned Change Healthcare is still working to restore its systems almost three months after a widespread attack on its operations.
Last week, the Biden administration said it intends to set minimum cybersecurity requirements for hospitals.