Schneck facing class action lawsuit for data breach

SEYMOUR — Schneck Medical Center faces a class action lawsuit related to a data breach that occurred Sept. 29, 2021.

That lawsuit was filed on behalf of Jalen Nierman and all others who may have been affected by the data breach, which he contends the Seymour hospital deliberately underplayed its severity and misrepresented there was no evidence cybercriminals had “misused” the stolen information even though Schneck knew the cybercriminals had infiltrated its systems for months without detection.

The lawsuit was filed on behalf of the Columbus man on Monday in Jackson Superior Court I in Brownstown by the Indianapolis law firm of Cohen and Malad LLP and the Madison, Wisconsin, law firm of Turke and Strauss LLP.

Schneck officials issued a statement, saying “Schneck Medical Center has no evidence that any of the information was or will be misused. However, out of an abundance of caution, Schneck notified individuals whose information was included in the limited number of files involved in this incident. Notified individuals have been provided with credit monitoring services where applicable, and best practices to protect their information. As a team of dedicated and caring medical professionals, we understand that healthcare is about people taking care of people and Schneck is committed to its patients, their treatment and their families – as well as to protecting the privacy and security of their personal information.”

The lawsuit contends Schneck had lost control of at least 92,000 of its former and current patients’ highly sensitive personal and medical information to cybercriminals and then failed to adequately notify victims of the breach.

The stolen personal health information included at least patients’ names, contact information, addresses, dates of birth, financial account and/or credit card information, medical records and diagnoses, driver’s license numbers and Social Security numbers, according to the lawsuit.

The 16-page lawsuit also contends cybercriminals were able to breach Schneck’s systems because the hospital did not maintain reasonable security safeguards or protocols to protect its patients’ PHI, leaving it an unguarded target for theft and misuse.

It further contends Schneck’s failure to timely detect and notify breach victims violates Indiana law and has made its patients vulnerable to identity theft without any warnings to monitor their financial accounts or credit reports to prevent unauthorized use of their public health information. Because of the data breach, Schneck also failed to adhere to the Health Insurance Portability and Accountability Act of 1996 aka HIPPA, according to court documents.

The lawsuit, which seeks damages to be determined, asks the judge to direct Schneck to adequately safeguard the personal health information of the plaintiff by implementing improved security procedures and measures and provide notice to each member of the class relating to full nature and extent of the data breach and the disclosure of protected health information to unauthorized persons.

On or about May 17, Schneck started notifying breach victims that hackers had gained unauthorized access to patients’ confidential personal identifying information and/or protected health information.

Nierman is a current patient at Schneck, and as part of making payment for medical treatment and services, those payments included amounts for data security.

The lawsuit contends he will have to spend considerable time and effort over the coming years monitoring his accounts to protect himself from identity theft.