An Iowa hospital network is facing a pair of potential class-action lawsuits over a cyberattack that allegedly resulted in hackers gaining access to personal information on more than 20,000 eastern Iowa patients.

Lawyers for Tiffany Harris of Clinton are suing Mercy Health Network, also known as MercyOne Clinics, for negligence, breach of implied contract and unjust enrichment. The lawsuit seeks unspecified damages and a court injunction that would help ensure patient information is kept confidential and protected from any future hacks.

The lawsuits stem from an incident earlier this year that prompted Mercy Health Network to publish a notice in May stating that portions of its network “were accessed by an unknown and unauthorized party between March 7, 2023 and April 4, 2023.” Mercy said the attack was “limited to its clinics in the Clinton, Iowa, area.”

The notice said that on May 23, 2023, Mercy determined individuals’ “information may have been impacted” by the incident, and it went on to say the types of information might include people’s name, address, date of birth, driver’s license number, Social Security number, financial account information, treatment and condition information, diagnostic information, prescription-medicine information, billing information and other data.

The lawsuit alleges that despite Mercy’s duty to secure and safeguard personal information, the network had “stored this private information on a database that was negligently and/or recklessly configured.” Mercy, the lawsuit claims, failed to adequately encrypt the information and, “foreseeably, cybercriminals exploited these vulnerabilities.”

The hack has created a risk of identity theft risk for the affected patients and that risk “will remain for their respective lifetimes,” the lawsuit alleges.

Harris is a MercyOne-Clinton patient and has sought medical care from the hospital “in several instances,” but is very careful about sharing her personal information, according to the lawsuit. The data breach has allegedly caused Harris to experience “stress, fear and anxiety” while spending a significant amount of time monitoring her financial accounts and credit reports to ensure no fraudulent activity has occurred.

In seeking class-action status so that others may join Harris as plaintiffs in the case, attorney Jeffrey C. O’Brien of the Minneapolis law firm Chestnut Cambronne alleges that “there are certainly tens of thousands, and probably at least more than 20,865 individuals whose private information was improperly accessed in the data breach.”

A similar lawsuit was filed this week by West Des Moines attorney J. Barton Goplerud on behalf of plaintiff Jennifer Medenblik of Illinois. That lawsuit, which also names MercyOne’s parent, Trinity Health Corp., as a defendant, alleges violations of the Health Insurance Portability and Accountability Act and a failure to protect sensitive data according to Federal Trade Commission guidelines.

Mercy Health Network is an integrated system of hospitals, clinics and other health care providers with more than 2,000 physicians and advanced-practice clinicians working in 18 medical centers. It is run by Trinity Health Corp., one of the largest not-for-profit, faith-based health care systems in America. Trinity has 123,000 employees, and nearly 27,000 physicians and clinicians, working in 26 states.

Mercy Health Network has yet to file a response to either of the lawsuits, and a spokesperson declined to comment on the litigation.

Last fall, a business partner of the Mercy Health Network called CommonSpirit Health announced that it had “experienced a ransomware event that impacted some personal information” belonging to some unspecified number of individuals.

The information included names, addresses, dates of birth, phone numbers, email address, diagnosis and treatment information and medical billing information. CommonSpirit Health indicated that “for a small number of individuals,” Social Security numbers were also involved.

