Class-action suit related to health-care breach dismissed

A federal district court last week dismissed a purported class-action lawsuit filed in connection with a 2022 ransomware attack that reportedly compromised the protected health information of almost 624,000 people, stating there was no evidence plaintiffs had been harmed.

More than 100 current and former Chicago-based CommonSpirit Health facilities in 13 states might have been affected by the attack, which it was said compromised protected health information.

The lawsuit charged the health care organization with negligence, breach of implied contract and unjust enrichment, according to Thursday’s ruling by the U.S. District Court in Chicago in Leeroy Perkins et al. v. CommonSpirit Health.

In dismissing the case, the court said the plaintiffs “have not suffered a breach of their sensitive information, such as Social Security numbers and credit card information that would make future losses not only possible but imminent.”

The ruling cited the July 2015 ruling in Remijas v. Neiman Marcus Group LLC by the 7th U.S. Circuit Court of Appeals in Chicago, which held that plaintiffs had met the standard set by the U.S. Supreme Court by showing there was a “substantial risk of harm” from a 2013 data breach.

The district court said in dismissing the CommonSpirit case that “Plaintiffs do not allege that they have suffered any fraudulent activity to date, that could require the taking of protective actions such as those taken by Remijas to avoid imminent losses.”

Attorneys in the case had no comment or did not respond to a request for comment.