NASHVILLE, Tenn. (WKRN) — Patients of HCA Healthcare are suing the company in a class action for failing to protect their private information this June when it experienced a data breach.

The suit, filed in federal court, claims HCA Healthcare, Inc. failed to protect the personally identifiable information and protected health information of the patients of hospitals and physician groups under its management, which was then compromised in a data breach last month. Around July 5, the suit claims, an “unauthorized party” was able to obtain a significant amount of personal information from HCA’s external data storage system and then posted it to an “online dark web hacker forum.”

The information stolen included patient names, cities, states, ZIP codes, email addresses, phone numbers, dates of birth, genders, patient service dates and locations, and next appointment dates of some 11 million HCA patients, according to the suit.

Among the claims in the complaint are negligence, negligence per se, invasion of privacy, breach of implied consent, unjust enrichment and violation of the California Confidentiality of Medical Information Act, and the class is seeking monetary damages as well as injunctive and declaratory relief.

HCA-Healthcare-Class-ActionDownload

The suit asks the U.S. District Court for the Middle District of Tennessee to certify this as a class action lawsuit and to enjoin HCA from “engaging in the wrongful conduct” related to the disclosure of private personal information of the class members. Additionally, the suit asks the Court to force HCA to protect all data collected from patients through encryption and to destroy the personal information of the class members unless it can justify why it’s necessary to keep it.

⏩ Read today’s top stories on wkrn.com

Further, the suit requests the Court to require HCA to “implement and maintain a comprehensive Information Security Program designed to protect the confidentiality and integrity” of that information for all class members and prevent HCA from storing information on a cloud-based database. The demands also include a request for HCA to use independent third party firms as well as internal security teams to regularly test for cyber security vulnerabilities, monitor web traffic to its servers and test for employees’ compliance on such measures for at least 10 years, increased training for all staff on such testing and security vulnerabilities and other damages.