A federal judge has denied Ascension’s bid to dismiss a nationwide class-action lawsuit brought by individuals who say they were harmed by last year’s major cybersecurity breach, though he tossed several of the proposed counts brought by plaintiffs.
Judge John Ross, of the U.S. District Court for the Eastern District of Missouri, wrote in a Sept. 23 order that plaintiffs may move ahead on a nationwide class action asserting negligence and negligence per se as well as on several subclass claims related to state laws in Arkansas, Florida, Illinois, Wisconsin, Michigan and Indiana.
Multiple nationwide class claims, including breach of express contract and invasion of privacy, as well as a claim specific to Oklahoma law were tossed.
Ascension, one of the country’s largest nonprofit health systems with ownership or other interests in about 120 hospitals, faced weeks of downtime procedures and months of volume declines due to the breach detected in May 2024.
The organization has said the breach stemmed from a contractor clicking on a malicious link in February 2024. Malware downloaded onto the contractor’s laptop then spread into an organizationwide user account directory, giving the attackers privileged access and allowing them to copy sensitive data while pushing ransomware to thousands of other Ascension computers.
The 13 named plaintiffs on the consolidated class action were patients at the time of the breach and said they had given Ascension their protected health information and personally identifiable information.
“Plaintiffs further plead that Ascension was negligent in failing to maintain adequate security, protect patient information, monitor its IT systems for intrusions, train its employees to avoid phishing, comply with FTC cybersecurity guidelines and HIPAA, and adhere to industry standards,” according to court documents. “Consequently, Plaintiffs face an imminent and ongoing risk of fraud and identity theft that was well-known and foreseeable.”
Ascension, in notices sent to consumers in December 2024, said 5.6 million patients and employees were exposed and had offered those affected 24 months of credit monitoring, a $1 million insurance policy and identity theft recovery services. In its move to dismiss, the system had argued the plaintiffs “suffered no actual injury caused by the attack and therefore lack standing to sue” alongside other points on specific claims’ viability.
Legal issues aside, the 2024 cyberattack has already had a lasting impact on the health system’s finances and operations. In financial statements, Ascension management described backlogs in payment claims and a multiquarter recovery of elective procedure volumes that affected performance. That translated to an acute impact on its fiscal year 2024 operating loss of $1.8 billion and a prolonged, but steadily improving, drag on fiscal year 2025’s $490.9 million operating loss.