By Darius Tahir 

Posted: October 13, 2014 – 2:30 pm ET

Community Health Systems, the 207-hospital, 29-state operator, is facing a class-action lawsuit brought by a New Mexico woman, Briana Brito, over a data breach it reported Aug. 18.

The suit, filed in the 4th Judicial District Court in San Miguel County in New Mexico, is being handled by law firms Slack & Davis and the Branch Law Firm, which are meeting with additional potential class representatives in Las Vegas, N.M., on Oct. 15, and have fielded inquiries from other patients based in six other states interested in joining the lawsuit, Slack & Davis attorney Paula Knippa said in an interview.

Brito and her family contend in the suit (PDF) that they were treated at Alta Vista Regional Hospital, Las Vegas, N.M., at the time the breach took place. “As a result of defendants’ failure to implement and follow basic security procedures, plaintiff’s sensitive information is now in the hand of thieves,” according to the suit. The suit does not ask for a specific dollar amount in damages, but instead calls on a jury to determine that at trial.

A CHS spokeswoman declined to comment on the lawsuit, per company policy on pending lawsuits. Opposing attorney Knippa expects a formal response to be filed to his complaint by the end of the month.

The breach was a massive one: 4.5 million patient records were exposed, making it the second largest in HHS’ records, which date to 1997.

According to a CHS SEC filing describing the breach, the hack likely originated from China and focused on valuable non-clinical, non-medical data, such as “patient names, addresses, birthdates, telephone numbers and Social Security numbers.”

Hackers struck in April and June 2014. CHS offered identity theft protections to affected individuals.

CHS’ SEC filing anticipates the possibility of litigation, but does not expect it to have a material effect on its finances.

The law firms also are starting a national campaign, primarily on television, to alert potentially affected individuals about the data breach and potentially recruit them as clients as well.

The focus of the existing suit will likely be on Community Health Systems’ security procedures and the operator’s alleged tardiness in alerting patients about the dangers of the data breach, Knippa said.

“It’s uncertain at what point that information will be exploited. The problem is that personal information doesn’t change. The repercussions of this event could be felt for years,” she said.