August 2021 Cyberattack Sees Memorial Health System Facing Class Action Lawsuit


Following a cyberattack and data breach that was first discovered by Memorial Health System on August 14, 2021, Marietta Area Health Care Inc., which operates as Memorial Health System, is facing a class action lawsuit.

After the discovery of the breach, an investigation showed that hackers initially obtained access to company databases at some point around July 10, 2021. Following this they managed to download malware to the network. This illegal access remained open until August 15, 2021.

Breach notification letters, issued to those that may have been impacted in the breach, confirm that Memorial Health System discovered on September 17, 2021, that the cybercriminals may have accessed or acquired information from its databases. The examination of these impacted systems came to an end on November 1, 2021, and impacted individuals were made aware of the breach on January 12, 2022. They were given the chance to avail of a one-year free membership to a credit monitoring service. The breach notice filed to the Maine attorney general states that the personal data of 216,478 may have been obtained by hackers.

On behalf of plaintiff Kathleen Tucker and other individuals affected by the breach, the lawsuit was submitted to the U./S. District Court of the Southern District of Ohio, Eastern Division against Marietta Area Health Care Inc. dba Memorial Health System.

The submitted papers claim that the plaintiff’s and class members’ personal data, incorporating names, birth dates, medical records, patient account details, Social Security information, and medical details, was infiltrated and illegally accessed, and that the plaintiff and class members, “suffered ascertainable losses in the form of the loss of the benefit of their bargain, out-of-pocket expenses and the value of their time reasonably incurred to remedy or mitigate the effects of the attack.”

The lawsuit claims that Memorial Health System behaved in a negligent manner by maintaining the private information of patients in a careless fashion by holding the data on databases that were susceptible to being infiltrated by cybercriminals. The lawsuit claimed that the dangers posed by cyberattacks was known by the defendant. However, the required measures to mitigate this threat were not put in place. Along with this, the legal action alleges ‘negligence per se, breach of implied contract, and unjust enrichment’.

The action claims that the plaintiff and class members have been put in a higher level of danger, than is normal, of fraud and identity theft. Due to this they must now and going forward keep a very close eye on their financial activity to protect themselves from identity theft. Extra expenses have also been incurred, including the cost and time of implementing credit monitoring services, credit freezes, and credit reports.

The class action suit is requesting a jury trial and compensatory damages, treble compensation, punitive damages, reimbursement of out-of-pocket expenses, and injunctive relief, which should account for enhancements to Memorial Health System’s data security systems, future annual audits, and supplying adequate credit monitoring services to people impacted by the cyberattack.

Console & Associates, P.C. legal practice has begun an investigation into the cyberattack and data breach. The legal action was submitted by attorney Joseph M. Lyon of The Lyon Firm, LLC.