ATTLEBORO — A class action lawsuit has been filed against Sturdy Memorial Hospital alleging it failed to properly protect personal patient information that was stolen in a ransomware attack earlier this year.
The suit was filed Thursday in Plymouth Superior Court by attorneys for Barbara Ragan Bennett, a resident of Plymouth County, and on behalf of “all others similarly situated.”
It was estimated there are 35,271 others affected by the hack attack, which took place Feb. 9, 2021.
The suit is seeking an unspecified amount of damages including extended credit monitoring, “actual damages, compensatory damages, statutory damages and statutory penalties, punitive damages and attorneys’ fees and costs.”
Court documents said damages exceeded $50,000.
Lead attorney Stephen J. Teti of Lockridge Grindal Nauen P.L.L.P of Minneapolis, signed the complaint.
When contacted by The Sun Chronicle Tuesday afternoon, Teti had no comment on the case. Sturdy also declined comment.
A law firm from Los Angeles, Glancy Prongay & Murray LLP, and one from Boston, The Law Office of Sean K. Collins, are also representing the plaintiffs.
Sturdy paid an undisclosed ransom to the hacker to get its information back and offered all those affected two years of free credit monitoring.
But lawyers for Bennett claim Sturdy should have prevented the theft of the information.
“Defendant maintained and secured the PII (personally identifiable information) in negligent manner by failing to safeguard against ransomware attacks,” the complaint said. “Had Sturdy properly maintained its IT (information technology) systems, it could have prevented the data breach.”
While a ransom was paid, the complaint alleges that payment does not guarantee personal information will be protected.
“Defendant cannot reasonably maintain that the data thieves destroyed the information they obtained, or more generally, that the harm to the victims has been cured…”
Some of the information stolen includes names, contact information, dates of birth, Social Security numbers, Medicare Health Insurance claim numbers, driver’s license numbers and medical history.
In addition, lawyers argued that the two free years of a credit monitoring service is insufficient “because misuse of the information taken in the breach is likely to last longer than two years, and further, that credit monitoring alone does not compensate victims for the consequences of the breach.”
Bennett’s attorneys requested a jury trial.