Patients file class-action suit against Aultman over data breach

Share:

A former patient has filed a class-action lawsuit against Aultman Health System, alleging the healthcare provider failed to protect sensitive personal and medical information during a data breach early last year and waited months to notify affected patients.

The complaint, filed in Stark County Common Pleas Court, claims Aultman experienced a cyberattack around Jan. 22, 2025, that compromised highly sensitive data belonging to current and former patients, including names, Social Security numbers, medical records, test results, diagnoses and other private treatment information. According to the filing obtained by Jordan Miller News, the breach impacted “hundreds of thousands” of individuals.

The lawsuit alleges Aultman did not alert patients until nearly a year after the breach occurred, despite knowing the data had been accessed by unauthorized third parties. The plaintiff, Jack Oliver, claims the delayed disclosure increased the risk of identity theft, financial fraud and medical identity fraud for patients whose information was leaked.

Aultman is accused of negligence, unjust enrichment and violating federal cybersecurity standards related to data protection. The filing argues Aultman failed to implement reasonable cybersecurity measures, failed to encrypt sensitive information, relied on a third-party vendor without sufficient safeguards and disregarded federal guidelines issued by the Federal Trade Commission.

The lawsuit also asserts that healthcare organizations are considered high-value targets for cybercriminals due to the long-term usefulness of medical and identity records. The filing cites federal data showing Social Security numbers and patient health information can be exploited for tax, insurance and employment fraud, and can circulate for years on underground markets.

The proposed class includes current and former Aultman patients whose information was compromised in the breach. The plaintiff is seeking monetary damages and injunctive relief that would require Aultman to strengthen its data security practices, including providing identity monitoring services to affected patients.