Ernest Health, a Texas-based health system operating across multiple states, is facing legal action after a significant data breach resulting from a ransomware attack compromised the protected health information of at least 101,413 patients. The cyberattack, attributed to the LockBit ransomware group, occurred between January 16, 2024, and February 4, 2024, with the group threatening to publish the stolen data on its leak site. The compromised data included sensitive information such as names, contact information, dates of birth, health plan IDs, health data, Social Security numbers, and driver’s license numbers.
On February 1, 2024, Ernest Health detected suspicious activity in its networks, which led to the discovery of the breach. The health system, which operates hospitals in 13 states including Arizona, California, Colorado, and more, confirmed the unauthorized network access and subsequently acknowledged the extent of the data compromised. In response, the health system claimed to have implemented additional security measures to prevent future incidents.
The lawsuit against Ernest Health was filed by plaintiffs Joe Lara and Lauri Cook on behalf of themselves and others similarly affected by the breach. They allege that Ernest Health’s failure to maintain adequate cybersecurity safeguards and provide sufficient cybersecurity training for its employees directly contributed to the magnitude of the breach. Furthermore, the lawsuit criticizes the health system’s delayed response in notifying affected individuals, arguing that this denied patients the opportunity to timely mitigate the potential damage from the breach.
The legal action seeks a jury trial and a variety of remedies including declaratory and equitable relief, injunctive relief, and compensatory, exemplary, punitive, and statutory damages. The plaintiffs assert claims of negligence, negligence per se, breach of implied contract, invasion of privacy, unjust enrichment, and breach of fiduciary duty. Represented by Joe Kendall of the Kendall Law Group and Samuel J. Strauss and Raina Borrelli of Turke & Strauss, the lawsuit highlights the ongoing challenges and responsibilities that healthcare providers face in protecting patient data in an increasingly digital and interconnected environment.
