A chain of Catholic hospitals and physician practices has reported a 2023 healthcare data breach that likely compromised the protected health information (PHI) of nearly 900,000 patients. Hospital Sisters Health System (HSHS), which operates primarily in Illinois and Wisconsin, faces multiple data privacy class action lawsuits over the incident.

In October 2023, HSHS filed a breach report with the U.S. Department of Health and Human Services (HHS), noting that a data breach affected at least 500 people. Before the investigation was complete, the health system didn’t know the magnitude of the breach but needed to file a report to comply with HIPAA.

An Updated Report

Last week, HSHS filed a new breach report in Maine, revealing that the breach affected 882,782 people. A sample breach notice filed in Maine indicates that HSHS has been notifying affected individuals on a rolling basis during its review of the compromised files.

The hacking incident was discovered on August 27, 2023, when HSHS learned that an unauthorized third party had accessed its network. They reported the breach to law enforcement and engaged a forensic security firm to assist with the investigation. The investigation found that the hacker had accessed specific files between August 16 and 27, 2023, resulting in several days of downtime for HSHS’s systems.

The information that may have been compromised includes names, addresses, dates of birth, medical record numbers, treatment information, Social Security numbers, and driver’s license numbers.

While HSHS doesn’t explain why the investigation took so long to complete, it may be due to the large volume of data and the challenge of coordinating across the health system’s multiple facilities.

HSHS Faces Four Class Action Lawsuits

Although HSHS stated that there is no evidence that personal information has been misused for fraud or identity theft, an open letter published on its website last fall warned patients not to respond to suspicious communications claiming to be from HSHS.

HSHS is facing multiple lawsuits, including a proposed class action filed in December in federal district court in Illinois. The plaintiffs allege they have received persistent robocalls claiming to be from HSHS asking for unpaid balances, despite HSHS’s confirmation that their balances were paid.

Another lawsuit is a consolidated proposed federal class action by plaintiffs whose information was compromised in HSHS’s August 2023 hacking incident. That lawsuit, also in federal district court in Illinois, includes allegations of negligence, unjust enrichment, and breach of contract related to the data breach.

HSHS and its affiliated physicians practice Prevea face a proposed federal class action filed in September that alleges, among other claims, that their use of tracking pixels on their websites and patient portals are “systematically” violating patients’ medical privacy rights by disclosing sensitive information to third parties, such as Meta, without their consent.

In addition to those lawsuits, a separate proposed class action lawsuit related to employment privacy alleges that HSHS violates the Illinois Genetic Information Privacy Act by requiring potential hires to submit to a pre-employment medical examination requiring applicants to disclose their family medical history.

Two or more of these lawsuits may be consolidated if the judge finds the claims are similar enough and the underlying facts are the same.

HIPAA Compliance Will Be Under Scrutiny

While HIPAA does not provide for private lawsuits by individuals to enforce its rules, plaintiffs in a breach of privacy lawsuit will try to show that the defendant didn’t follow HIPAA carefully enough and, therefore, was negligent. They will use HIPAA as a standard of care and a measure of “best practices.”

HSHS will likely be required to reveal, for example, whether its HIPAA policies are up-to-date, whether it has performed a HIPAA risk analysis, follows the HIPAA Security Rule, has appropriate cybersecurity protocols in place, and has trained its workforce.

Since HHS investigates all breaches affecting 500 or more, the health system will also need to answer to HHS Office for Civil Rights (OCR) about its HIPAA compliance practices.