Judge Allows Class Action Lawsuit Against Ascension Over Data Breach to Proceed
Health system Ascension is facing a class action lawsuit following a major data breach last year, with a judge ruling that certain claims against the organization can move forward.
Key Points:
- Judge John Ross allowed allegations of negligence in safeguarding patient data during a ransomware attack to continue in court.
- Claims related to state consumer protection laws were also permitted to advance in the lawsuit.
- However, other claims, including breach of contract and unjust profiting at patients’ expense, were dismissed.
Details of the Data Breach:
Ascension, a large health system operating multiple hospitals and senior living facilities nationwide, fell victim to a ransomware attack in May 2024. The attack disrupted critical systems, compromising the data of over 5.4 million individuals.
Allegations Against Ascension:
The lawsuit, filed shortly after the cyberattack, claims that Ascension failed to implement necessary security measures, allowing hackers to access sensitive patient information. Plaintiffs argue that they are at risk of identity theft and have experienced various issues, including fraudulent charges and delayed care.
Legal Battle:
Ascension tried to dismiss the lawsuit, stating that plaintiffs had not suffered direct harm from the breach. However, the judge ruled that the risk of future harm was significant, and plaintiffs’ claims of present injury were sufficient to proceed with the case.
Impact on Ascension:
The cyberattack had substantial financial implications for Ascension, leading to a $1.1 billion net loss in 2024. Despite this setback, the organization returned to profitability in 2025, reporting a net income of $917.7 million.
As cybersecurity threats continue to plague the healthcare industry, organizations must prioritize data protection to safeguard patient information and mitigate financial risks associated with data breaches.
