HCA Healthcare Faces Class Action Lawsuit Over Data Breach

In a recently filed lawsuit, Elizabeth Crown, a patient of HCA Healthcare, Inc., has launched a class-action lawsuit against the healthcare giant, alleging serious data privacy violations. The lawsuit, filed in the Eighth Judicial District Court of Clark County, Nevada, accuses HCA Healthcare of failing to protect the personal identifying information (PII) of Crown and millions of other patients in a cyber-attack on its servers.

The complaint alleges that HCA Healthcare became aware of the breach on or about July 5, 2023, but did not notify the affected individuals until a month later. According to the lawsuit, the cybercriminals accessed a trove of personal information, including patients' names, addresses, email addresses, telephone numbers, dates of birth, gender, and appointment details. "Defendant failed to safeguard the confidential personal identifying information (PII) of the plaintiff and millions of individuals (Class Members) in a cyber-attack on its servers," the complaint reads. This has put Crown and the other class members at a high risk of identity theft, unauthorized access to email accounts, and other fraudulent use of their PII.

The lawsuit is grounded in three main legal theories: negligence, invasion of privacy by public disclosure of private facts, and breach of implied contract. The negligence claim alleges that HCA Healthcare failed to maintain reasonable data security measures, violating the duty of care that companies owe to their customers. On the other hand, the invasion of privacy claim accuses HCA Healthcare of unauthorized disclosure of private information, a violation of the right to privacy. Finally, the breach of implied contract claim alleges that HCA Healthcare failed to protect and secure the private information that patients entrusted to them, a violation of the implied contract between the company and its customers.

The Federal Trade Commission Act, which prohibits unfair or deceptive acts or practices in commerce, is also referenced in the lawsuit. According to the complaint, HCA Healthcare's failure to maintain reasonable data security measures constitutes an unfair act or practice under the Act.

Crown and the other class members are seeking various damages, including actual damages, economic damages, emotional distress damages, statutory damages, nominal damages, exemplary damages, and injunctive relief. They are also seeking to recover the fees and costs of litigation.

The class members are defined as all persons whose sensitive personal information was obtained by an unauthorized individual during the data breach in July 2023.

This lawsuit is a stark reminder of the importance of data security in the healthcare industry, which maintains large volumes of patient PII. As the case unfolds, it will undoubtedly set a precedent for how healthcare companies handle and protect their patients' personal information.