Lawsuits are trickling in against Nashville-based HCA Healthcare over a massive data breach that disclosed the personal information of nearly 11 million patients.
Two lawsuits seeking class-action status were filed this week in the Middle District of Tennessee, alleging the publicly held health system failed to implement basic data security practices. Plaintiffs in both suits allege HCA negligently stored patient information and failed to abide by security guidelines outlined by the Federal Trade Commission and the Health Insurance Portability and Accountability Act of 1996.
The breach will put those affected at increased risk of identity theft, court filings allege. In addition to monetary damages, one lawsuit seeks to require HCA to improve its data storage and security infrastructure.
HCA disclosed the data security incident, which spanned 171 hospitals and 19 states, on Monday. The data was stolen from external storage used for scheduling and later shared online. The breach included patient names, care locations, contact information, birth dates, gender and appointment times.
HCA said the exposed data has since been secured and offered credit monitoring and identity protection services to anyone affected.
"Our focus now is on our patients and ensuring they have information about the data security incident and the actions already underway to take care of them," a spokesperson said in an email on Friday. "Our commitment to our patients is unwavering and is not affected by any class action lawsuits or other legal proceedings. We will respond to any lawsuits or proceedings, in the appropriate forums and ordinary course."
The incident is one of the largest data breaches reported since tracking began in 2010, the largest being a breach at health insurance company Anthem in 2015 that affected nearly 79 million individuals.