Summit Pathology Data Breach Class Action: Patients' Information Exposed

Case Overview: A class action lawsuit has been filed against Summit Pathology, alleging that the company failed to protect patient data, leading to a data breach.

Consumers Affected: Individuals whose personal and medical information was compromised in the Summit Pathology data breach.

Court: U.S. District Court for the District of Colorado

Summit Laboratory, an independent pathology provider, failed to protect sensitive personal and medical information, resulting in an April data breach that left patients vulnerable to identity theft and fraud, a new lawsuit claims.

The lawsuit alleges that Summit’s insufficient cybersecurity measures allowed cybercriminals to access and potentially misuse personal data, including Social Security numbers and medical details, saying the breach “was a direct result of [Summit’s] failure to implement adequate and reasonable cyber-security procedures and protocols necessary to protect individuals’ private information with which it was entrusted for either treatment or employment or both.”

Summit Pathology Accused of Negligence In Data Breach, Leaving Patients Vulnerable

Karen Alexander filed the proposed class action lawsuit on behalf of herself and her children, accusing Summit of failing to protect their sensitive data and then failing to notify them or act upon the breach.

According to the lawsuit, the breach first came to light for Alexander and her family when they received notification letters—sent to a previous address—about the exposure of their personal information. When she attempted to contact Summit for details on the breach, she was informed that no additional letters or digital copies would be sent to correct the mailing error, leaving her reliant on a phone call summary of the notice. 

The lack of clarity around what specific information was accessed has left Alexander especially anxious about the risks to her and her family’s privacy, she says in the lawsuit. Since the breach, she says she’s had a significant increase in spam calls, emails, and a notification that her personal data had surfaced on the Dark Web, which she believes is linked to the incident. Alexander says she now has to dedicate hours each week to monitoring for suspicious activity.

Lawsuit Claims Inadequate Security Measures Led to Data Breach

According to Summit’s notice, suspicious activity was detected on its systems in April. However, plaintiffs argue that Summit’s response was too slow and that its security measures were insufficient given the high value of the medical and personal data it stores. 

The lawsuit highlights the growing risk to healthcare organizations, which handle large volumes of sensitive information. The breach has not yet been publicly reported to the Department of Health and Human Services’ Office for Civil Rights, raising further questions about transparency.

In the wake of the breach, those affected are now at heightened risk for identity theft. Stolen information could be used in various ways, from unauthorized medical claims to fraudulent financial activity, impacting victims for years, the lawsuit states. Alexander, who now constantly monitors her accounts, says Summit’s actions have not only cost her peace of mind but have placed an ongoing burden on her daily life.

Summit Pathology Failed to Follow Industry Standards for Data Protection, Lawsuit Alleges

Summit claims to have reviewed and bolstered its cybersecurity protocols, stating that it takes data security “seriously,” however Alexander argues that these measures came too late and were inadequate in preventing the breach. 

She said the company failed to follow industry recommendations, including Federal Trade Commission guidelines, that outline preventive steps Summit could have implemented, such as system encryption, regular network monitoring, and a more effective response plan to minimize the breach’s impact.

The healthcare sector has seen a dramatic rise in cyberattacks, with nearly three-quarters of reported breaches being hacking incidents. In 2021, over 700 healthcare data breaches affected providers across the U.S., as cybercriminals increasingly target medical records. Alexander alleges that Summit should have heeded these trends to secure patient data.

Data Breaches Plague Healthcare Industry

With the rise in breaches, there has also been a rise in consumers holding companies to account for lacking security measures through lawsuits. Summit Laboratory is just the latest in a list that includes legal action against Hospital Sisters Health System and Kaiser Permanente, where plaintiffs claim inadequate security measures and unauthorized data sharing with tech companies like Google and Microsoft compromised millions of patients’ personal information. 

Coastal Orthopedics, SouthCoast Medical Group, and Justice Resource Institute also face lawsuits following breaches that allegedly left patients vulnerable to identity theft and fraudulent claims due to security lapses. Beyond individual healthcare facilities, even industry giants like Change Healthcare are under legal scrutiny, with more than 50 lawsuits filed after a significant breach earlier this year. 

In the Summit Pathology data breach class action lawsuit, Alexander wants to represent affected people from across the country in her claims of negligence, breach of contract, unjust enrichment, violations of state consumer protection laws, and more. She is seeking injunctive relief, credit monitoring, annual auditing damages, fees, and costs. 

Case Details

• Lawsuit: Alexander v. Summit Pathology D/B/A  Summit Pathology Laboratories, Inc.
• Case Number:  1:24-cv-02939-GPG-MEH 
• Court: U.S. District Court for the District of Colorado 

Plaintiffs' Attorneys

• Gary E. Mason, Danielle Perry, and Lisa A. White (Mason LLP)

Have you been affected by the Summit Pathology data breach? Share your experiences and concerns in the comments below.