On September 29, 2021, Schneck Medical Center in Indiana announced that it had been the victim of a cyberattack. But it wasn’t until May, 2022, that the medical center began notifying what they characterized as a “limited number” of patients about the incident.
As DataBreaches reported at the time, their notification left important questions unaddressed. DataBreaches’ attempt to get clarification from them as to whether this was a ransomware incident and why they stated that Schneck “has no evidence that any of the information was or will be misused,” went unanswered.
Maybe plaintiffs will be able to get answers to those questions in discovery, because now the medical center has been named in a class action lawsuit. The Republic provides some of the details.
One of the claims reported to be part of the lawsuit is that the medical center allegedly violated state law by not providing timely notification. Indiana’s data breach notification law was amended this year to require notification no later than 45 days after discovery of the breach, but that amended law does not go into effect until July 1, and DataBreaches suspects that in either event, Schneck will argue that it was not until March of 2022 after diligent efforts that they discovered that protected health information was involved, etc.
It is not clear that any plaintiff can actually demonstrate concrete injury or harm and not just the potential or likelihood of harm, so whether the litigation will survive a motion to dismiss for lack of standing remains to be seen.