By Jeff Wardon, Jr., Assistant Editor

Frederick Health Hospital (FHH) is facing five class action lawsuits over a January ransomware attack that compromised sensitive patient data, Frederick News Post reports. The lawsuits accuse FHH of inadequate cybersecurity, poor breach notification and failing to protect patients from identity theft risks. The plaintiffs seek jury trials and unspecified damages. 

The lawsuits allege that FHH did not follow industry-standard cybersecurity practices and failed to properly inform affected individuals. Plaintiffs claim the hospital’s breach notice lacked key details, such as when the investigation occurred and how the breach happened. FHH acknowledged the attack on March 28, saying a shared drive containing patient data was accessed, but emphasized its systems were taken offline proactively. 

Lawsuits over cyberattacks and data breaches are nothing new, as PIH Health, Dameron Hospital Association and Sunflower Medical Group have recently learned. These lawsuits can be costly, especially when stacked on top of the potential costs of the cyberattack or data breach itself. 

The average cost of a data breach in general in 2024 was roughly $4.88 million, according to The HIPAA Journal. Meanwhile, the costliest breaches occurred at healthcare organizations, which averaged to about $9.77 million in 2024.  

A data breach at CommonSpirit cost the organization around $160 million without legal costs included. A class action lawsuit was filed against the organization that sought damages for the plaintiffs and class exceeding $5 million, injunctive relief and legal costs. 

Maintaining adequate cybersecurity practices is crucial if a healthcare organization wishes to avoid any cyberattacks or data breaches and their resulting costs. One approach to strengthening cybersecurity and response plans is through information sharing with other organizations. 

Healthcare providers must share information with each other about cyberattacks and data-protection strategies, Errol Weiss, chief security officer at Health-ISAC, previously told Healthcare Facilities Today. This collective approach allows organizations to tighten defenses against attackers that are growing sophisticated with their methods. 

The Ryuk ransomware was targeting the Healthcare and Public Health Sector (HPH) back in 2019 to 2020, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Healthcare organizations that were members or partnered with Health-ISAC were alerted to ransomware being detected across different facilities. Healthcare facilities that hadn’t been attacked yet were able to proactively deploy their cybersecurity protocols. 

“The challenge of securing healthcare data is complex and evolving, but collaboration across the industry can make a substantial difference,” says Weiss. “When healthcare facilities and their partners unite to focus on cybersecurity, they create a stronger network that is better equipped to protect the sensitive data patients entrust to them even as threats continue to grow.” 

Jeff Wardon, Jr., is the assistant editor of the facilities market.