A $480-million proposed class action lawsuit has been filed against the five Ontario hospitals hit by a recent ransomware attack — and the IT company that services them.
Robert Smith is the lawsuit's lone named plaintiff. The Sarnia man has been a patient of Bluewater Health throughout his life, according to court documents, for various medical treatments.
Bluewater, Windsor Regional Hospital, Chatham-Kent Health Alliance, Erie Shores HealthCare, Hôtel-Dieu Grace Healthcare and TransForm Shared Service are the organizations named in the suit.
In a joint response, the hospitals and TransForm acknowledged they are in "receipt of a lawsuit related to the cyberattack," and with it now being a legal matter before the courts they will not be commenting further about it.
All have been hard hit by the Oct. 23 cyberattack that ended up exposing patient records and information, and altering care.
Cybercriminial group Daixin has claimed responsibility for the attack and has published some of the stolen data on the dark web.
The lawsuit alleges that so far roughly 267,000 people have been discovered to be affected by the breach.
The hospitals and IT service provider owed the patients a "duty of care," according to the statement of claim, by handling, storing and protecting their personal information — which was breached — including privacy.
It says the mental health of the plaintiff and class action members has also been impacted, arising from their "anxiety and distress" upon being told of the security breach.
"Such mental injuries were within the reasonable contemplation of the defendants at the time that the relationship was formed," the statement of claim read. "They are serious, prolonged, and rise above the ordinary annoyances, anxieties and fears that come with living in modern day society."
The lawsuit alleges the breach occurred due to the hospitals and its IT service providing "inadequate technical and procedural safeguards."
"The cyberattackers were able to gain access to the computer systems because the defendants knowingly or recklessly failed to take steps to protect the personal information in its computer systems, and failed to have adequate information technology securities policies in place."
None of the allegations in the lawsuit statement of claim have been proven in court. Class action lawsuits have to be certified by a judge before they can proceed.
The hospitals said they refused to pay the requested ransom.