Governance, Risk and Compliance, Content

Patients Sue Alabama Healthcare System After Ryuk Ransomware Attack


Four patients visiting three hospitals in Alabama have filed a class action lawsuit against operator DCH Health System charging the company violated federal health information privacy laws (HIPAA) and endangered their medical care during a ransomware attack three months ago.

The patients, all of whom are identified in the claim, accuse the health system of negligence, invasion of privacy, breach of contract and breach of fiduciary duty resulting from the October 1, 2019 Ryuk ransomware attack that crippled DCH for 10 days, reported. The lawsuit has been filed in the Western Division of U.S. District Court for the Northern District of Alabama. The cyber extortion, which infected systems at DCH Regional Medical Center, Fayette Medical Center and Northport Medical Center, forced the facilities to turn away all but critical care patients.

“Because of the ransomware attack, plaintiffs and class members had their medical care and treatment as well as their daily lives disrupted,” the lawsuit claimed. “As a consequence of the ransomware locking down the medical records of plaintiffs and class members, plaintiffs and the class members had to forego medical care and treatment or had to seek alternative care and treatment.” (via

Three of the plaintiffs described their claims, which ranged from an inability to get prescribed medications to being turned away from treatment for a severe allergic reaction to inadequate follow-up treatment. A fourth patient contended less specifically that her medical records and care had been compromised.

In the attack’s wake, officials said the hacker gained access to medical records and other patient information but no data has been misused or removed from DCH’s systems. However, the plaintiffs maintain that DCH violated HIPAA laws and other laws governing medical records and failed to secure sensitive patient information. “Defendant breached its obligations to plaintiffs and class members and/or was otherwise negligent and reckless because failing to properly maintain and safeguard its computer systems and data,” the filing said. (via The lawsuit does not seek a specific dollar amount in damages.

Ryuk was first discovered in August 2018. The ransomware often goes undetected for days or months after an initial infection, and it enables a threat actor to identify and attack an organization’s critical network systems.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.