A class action lawsuit has been filed against the Salem Community Hospital and Perry Johnson & Associated Inc. (PJ&A) over a data breach it said occurred between March 2 and May 2.

About 9 million people were impacted by the data breach, according to the lawsuit, which was filed today, Dec. 20.

However, the victims of this data breach weren't alerted to the incident until November.

The lawsuit, filed by Michael Stone and Leeanne Varner, claims the defendants waited more than seven months to alert the victims of the data breach and failed to tell them how many people were impacted, how the breach happened, or why it took so long to alert the victims.

"...Cybercriminals had unrestricted and unrestrained access to Plaintiffs’ and the Class’s highly private Sensitive Information for perhaps as much as
five weeks. Discovery may reveal that this occurred for a longer period," the lawsuit claims.

The plaintiffs are seeking injunctive relief, damages, and restitution together with costs and attorney's fees.

According to PJ&A,  a medical vendor that offers medical coding, transcription, and reporting services to medical providers, the data breach occurred with a medical transcription service provider the hospital uses in Nevada.

Although the hospital has yet to file an answer to the complaint, Debbie Pietrzak, vice president of marketing for the hospital, told 21 News earlier that the leaked data did not include any credit card information. However, Salem Regional was not clear if any social security numbers may have been accessed.

The letter from PJ&A states the files accessed contained names, social security numbers, and one or more of the following: date of birth, address, phone number, medical record, hospital account number, and date/s of service.

PJ&A stated in a letter in November that the company is not aware of any instances of fraud or identity theft involving the data leak.

Despite this, the lawsuit claims the group's failure to notify the victims promptly made them vulnerable to identity theft without any warnings to monitor their financial accounts or credit reports to prevent unauthorized use of sensitive information.

You can read the full lawsuit below: 

 

RELATED: