TAMPA — Personal injury firm Morgan & Morgan has filed a class-action lawsuit against Tampa General Hospital, accusing the nonprofit of losing control of its patients’ sensitive personal information in a data breach “perpetrated by cybercriminals.”
The lawsuit was filed late Friday in Hillsborough County on behalf of three patients who were among the 1.2 million whose personal data was compromised in the hack. It does not name them but states that one has already been the victim of identity theft and that another is a retired FBI agent.
In the lawsuit, attorneys also accuse the hospital of putting patients at more risk of identity theft by delaying notification of the data breach for more than two months.
Tampa General reported on July 19 that a “criminal group” stole confidential information of about 1.2 million patients. The data compromised varied by patient but included names, addresses, phone numbers, dates of birth, Social Security numbers, health insurance information, medical record numbers, patient account numbers, dates of service and limited information about treatment.
According to the lawsuit, that included records that would be protected under the 1996 Health Insurance Portability and Accountability Act, more commonly known as HIPAA.
The data theft, which is being investigated by the FBI, came to light after the hospital detected “unusual activity” on its computer systems on May 31. An investigation aided by a third-party forensic firm found that an unauthorized user obtained access to data files over a three-week period through May 30.
That gave the hackers 19 days to steal patient data while they were still undetected, according to a statement released by Morgan & Morgan attorneys John Morgan and Ryan McGee.
“Our clients’ allegations in this case paint a picture of Tampa General Hospital’s cavalier attitude toward cybersecurity and patient privacy,” the statement reads. “It is our hope that this lawsuit will not only secure justice and accountability for the patients whose privacy and peace of mind have been irrevocably violated, but also will spur Tampa General Hospital to take additional steps to protect their patients’ privacy in a manner appropriate for the current climate of cyberattacks.”
Hospital officials declined to comment, citing an ongoing investigation and, now, ongoing litigation.
According to a webpage set up for patients, the hospital took steps to restrict the unauthorized intrusion and began an investigation. Patients affected were informed of the data breach about two weeks ahead of a 60-day deadline required by federal law.
May’s hack was not the first time Tampa General patient data has been compromised, according to Department of Health and Human Services records. In 2014, data on 675 patients was accessed by an unauthorized user.
Staff writer Teghan Simonton contributed to this story.