CentraState Data Breach – Can you sue the hospital?
➕ 617,000 CentraState patients had personal data compromised
➕ The first lawsuit has been filed against the hospital
➕ If your data is compromised, can you sue?
Despite heightened security alerts, large data breaches are becoming more common. But can you sue if you're a victim of a data breach?
According to legal experts, each case is different, and the answer is not always clear.
Generally, however, unless you can show actual damages, a lawsuit is not likely to be successful.
CentraState Data Breach
On Feb. 10, CentraState Medical Center revealed they were the subject of a data breach that compromised the personal data of 617,00 of it's patients.
The breach actually happened last December.
All we know about it is what CentraState has shared publicly.
New Jersey 101.5's Dan Alexander reported the following:
The hospital first reported an "IT security issue" on Dec. 30 that affected some hospital services including the admission of emergency room patients but did not disclose details about the issue.
A subsequent investigation found that an "unauthorized person" obtained a copy of an archived database that stored patient information. The statement did not disclose who was responsible for the theft or if any charges were filed.
The information exposed varied by individual but potentially included a treasure trove of personal information including name, address, date of birth, Social Security numbers, health insurance information, medical record numbers, patient account numbers, doctor notes, information on care received at CentraState and prescription information.
No financial or payment information was kept in the archive.
The hospital began mailing letters to affected patients in mid-February offering free credit monitoring and identity theft protection services to individuals whose Social Security number was involved.
First lawsuit filed
Manalapan resident Rita Sorrentino-Poggi has retained a lawyer to file suit against CentraState. She says she was notified Feb. 8 that her data was compromised in the December breach.
The suit contends CentraState was at fault for failure to implement "adequate and reasonable cybersecurity procedures," and of waiting too long to notify impacted patients.
Sorrentino-Poggi's lawyer told NJ.com additional patients and victims of the data breach are expected to join the suit, which is seeking changes to CentraState's business and security practices as well as monetary damages.
CentraState said they cannot comment on pending/potential litigation.
Have there been similar legal actions?
There have, and you can read about them HERE.
Among the biggest settlements in the U.S. came from data breaches investment bank Morgan Stanley (2022), Uber (2016), Capitol One (2021), and Home Depot (2014).
The circumstances are all different, and involved different types of data, but in each case, plaintiffs were able to demonstrate actual damages. Most of these types of lawsuits are settled before going to court. In some cases, federal regulators also levy severe fines on the companies involved.
State and federal consumer fraud agencies as well as the Security and Exchange Commission have been swift to act when they believe the breach is due to the negligence of the company involved.
What has to be proven in these types of lawsuits?
According to the legal scholar and resource website HG.org, there are multiple things that factor into data breach lawsuits. They include:
⬛ The Data Breach Injury
"It is possible to sue the company that holds the data when the victim is able to prove that the security measures were lacking the necessary strength to prevent a reasonable attack."
In other words, did the company take the necessary security measures to ensure private data would not be compromised.
⬛ Suing the Responsible Party
This often is not possible, since the party responsible for stealing the information often remains anonymous and cannot be brought to justice.
The legal experts at HG.org say that is why the company or organization that held the data is often targeted in civil lawsuits for the damage the data breach caused.
They note, "There are certain steps that are reasonable which the judge may hold against the plaintiff if he or she fails to accomplish these tasks. When attempting to sue the company, the individual will need prove negligence with the data breach."
Does any of this apply in the CentraState case?
That is certainly what the lawsuit alleges, but it would be wild speculation at this point. CentraState has not responded to the lawsuit, so it is impossible to know what their defense will be.
The hospital is offering free credit monitoring and identity theft protection services to individuals whose Social Security number was involved.
Sorrentino-Poggi does allege actual damages in her lawsuit.
What should I do if I was a victim of the data breach?
If you think your information may have been compromised in this case, or any other, the website IdentityTheft.gov was set up by the Federal Trade Commission to guide you through the steps to take. It's a great resource.
Access the website HERE.
Should I sue?
That is a question only you can answer. If you are thinking of legal action, consult with a legal professional to discuss your options.
Disclaimer: Every effort has been made to ensure the accuracy of the information included in this article at the time it was published. It is not intended to provide legal advice or suggest a guaranteed outcome. Readers considering legal action should consult with an experienced lawyer to understand current laws and how they may affect a case.
Eric Scott is the senior political director and anchor for New Jersey 101.5. You can reach him at email@example.com
Click here to contact an editor about feedback or a correction for this story.