New state law to protect entities under cyber attack from class action suits amid Ascension Health hack

Tori Gessner
·3 min read
2

NASHVILLE, Tenn. (WKRN) — Another healthcare system is under a cyber attack, and while it’s unclear what, if any information has been accessed, a soon-to-be law will prevent those whose information may have been exposed from filing a class action lawsuit against entities that are hacked as long as the organization wasn’t grossly negligent.

According to a spokesperson for Ascension Health, the organization noticed “unusual activity” May 8, which they determined was due to a ransomware attack. As a result, ambulances are being diverted in some cases, non-emergency procedures, tests, and appointments have been put on pause, and online access to patients’ medical records is blocked.

Ascension Health has been providing updates about the cybersecurity attack here.

📧 Have breaking come to you: Subscribe to News 2 email alerts

The healthcare sector ranked as the top target for ransomware last year, according to a new federal report.

Joey Peay, the CEO of the Murfreesboro Medical Clinic testified to lawmakers about the organization’s cyber attack which occurred last April.

“We’re dealing with cyber terrorists that are being financed by what I would consider acts of war by foreign, bad actors that do not like our country, and they’re attacking us,” Peay said.

Peay told lawmakers the clinic took every precaution to prevent the situation. Despite that, nine days after the clinic’s network systems were compromised, the first of six class action lawsuits was filed against the organization.

“Nine days, we’re still getting demands from the cyber terrorists that if you don’t pay us, we’re going to release your data. Nothing had been released, there had been no damages to that point, and we already had the first lawsuit,” Peay said.

The entity plans to pay out a settlement “well over” seven figures soon, similar to East Tennessee Children’s Hospital which paid $1.55 million in a class action settlement after facing a data breach in March 2022.

Read the latest from the TN State Capitol Newsroom

However, had a new state law been in effect, it may have prevented the lawsuits in the first place.

Senate Bill 2018, which passed last session, will prevent those whose information may have been accessed in a cyber attack from suing the entity that was hacked, as long as the event wasn’t caused by “willful, wanton, or gross negligence.”

“We can’t stop that attack, but what we can do is try to put things in place so they’re not being caught up in civil action lawsuits when they’re just trying to get back on their feet,” Sen. Shane Reeves, (R-Murfreesboro) said.

Despite some trial attorneys’ efforts to fight against the bill, arguing it grants immunity to organizations that fail to use reasonable care, the legislation now sits on Gov. Bill Lee‘s desk.

Peay argued the plaintiffs in class action lawsuits don’t financially benefit anyway.

“They get chump change,” Peay said. “They get a couple thousand dollars apiece. The trial lawyers are splitting almost $400,000. It’s just become a racket for trial lawyers exploiting what could’ve driven our company into bankruptcy.”

Ascension Health is working with federal agencies and a top cybersecurity unit, among other organizations, to investigate the ransomware attack.

⏩ Read today’s top stories on wkrn.com

The following statement was Ascension Health’s most recent update at the time this article was published, released by an Ascension spokesperson:

“We continue to diligently investigate and address the recent ransomware incident, working closely with industry leading cybersecurity experts to assist in our investigation and restoration and recovery efforts. Additionally, we have notified law enforcement, as well as government partners including the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services (HHS), and the American Hospital Association (AHA). We remain in close contact with the FBI and CISA, and we are sharing relevant threat intelligence with the Health Information Sharing and Analysis Center (H-ISAC) so that our industry partners and peers can take steps to protect themselves from similar incidents.

While our restoration work continues in earnest, our focus is on restoring systems as safely as possible. While we expect this process will take time to complete, we are making progress and systems are being restored in a coordinated manner at each of our care sites. We will continue to share updates on our recovery process.”

For the latest news, weather, sports, and streaming video, head to WKRN News 2.