Lawsuit claims thousands of patients’ information compromised in Tidelands Health ransomware attack

CHARLESTON, S.C. (WCSC) - Tidelands Health is facing a federal class action complaint after a ransomware attack left the hospital system’s computer systems and data offline in December.

The court documents were filed Tuesday by two patients who claim their medical records and services were compromised by the malware incident.

Brandi Kersey, one of the plaintiffs, was scheduled for a nuclear stress test at Tidelands Waccamaw Hospital after suffering two strokes last year, but when she arrived for her appointment, she was told the computer system was hacked and her test was canceled, according to court documents.

“Ms. Kersey was then told that the hospital would have to call her when things were fixed, thereby delaying and disrupting her course of care and treatment,” court records stated.

The other named plaintiff, Starr Collister, said the ransomware attack caused staff to repeatedly give her food she was not able to eat because nurses were not able to access her medical records.

“She had to repeatedly wait for nurses to attend to her as they were tied up with manual paperwork, and discharge after her three-day hospital stay was ‘a nightmare,’” court documents said.

The potentially, more lasting impact of the ransomware attack though is that thousands of patients’ highly sensitive medical records could have been compromised. The complaint claims names, social security numbers, driver’s license information, medical information and other protected health information were exposed to hackers. The concern is that the information could now be used by data thieves to commit a variety of crimes.

However, Tidelands Health officials maintained a data breach had not occurred.

“To date, we have no evidence that patient medical information was exfiltrated during the Dec. 12 malware incident. However, the investigation is ongoing. We will continue to take appropriate steps to address the situation, collaborate with the appropriate authorities and notify any impacted individuals, if and when that is needed,” Tidelands Health spokesperson Dawn Bryant said in a statement.

Bryant added that upon discovery of the incident, Tidelands Health immediately engaged external cybersecurity experts to help secure the hospital system’s network, restore systems and investigate the situation.

“Our primary computer systems have been restored, and we have resumed normal operations. Our hospitals and outpatient locations continue to deliver safe, high-quality care to our patients and community,” Bryant said.

However, the complaint claims the ransomware attack exposed the plaintiffs and class members to a heightened and imminent risk of fraud and identity theft and left those impacted to pay for credit monitoring services and other measures to protect themselves.

“…taking out loans in Class Members’ names, using Class Members’ names to obtain medical services, using Class Members’ health information to target other phishing and hacking intrusions based on their individual health needs, using Class Members’ information to target other phishing and hacking intrusions based on their individual health needs, using Class Members’ information to obtain government benefits, filing fraudulent tax returns using Class Members’ information, obtaining driver’s licenses in Class Members’ names but with another person’s photograph, and giving false information to police during an arrest,” court documents stated.

Court documents claim Tidelands Health has failed to notify patients whose private information was impacted, has not publicly announced the results of its investigation, and has not reported the data breach to the Department of Health and Human Services.

The complaint accused the hospital system of negligence, among other things, for failing to protect the private information of its patents.

Copyright 2020 WCSC. All rights reserved.