Settlements Reached in 2 Major Healthcare Hacking Lawsuits
Email Threat Protection, Fraud & Cybercrime Management, Healthcare
Experts: Class Actions Filed Over Big Data Breaches Keep Growing
Marianne Kolbasuk McGee (HealthInfoSec) •
July 21, 2022
Settlements in class action lawsuits filed over two separate major breaches are the latest examples of threats and risks involving email hacks – while underscoring the threat of litigation following such incidents.
The settlements include a multimillion-dollar settlement in a consolidated class action lawsuit against Missouri-based BJC Healthcare launched following a 2020 email phishing incident affecting protected health information, including 288,000 people.
The proposed settlement asks the nonprofit healthcare organization to pay eligible class members up to $250 each for ordinary disbursements resulting from the incident, as well as up to $5,000 each for their documented extraordinary disbursements. linked to the breach.
The proposed settlement also requires BJC Healthcare to improve its data security program, including implementing and maintaining multi-factor authentication for remote email access. In total, the hospital system estimates the settlement will cost it nearly $2.7 million.
The other lawsuit is an approved $425,000 settlement in a class action lawsuit against Methodist Hospitals in Indiana over an email hacking incident reported to federal regulators in 2019 as affecting more than 68,000 people.
In that settlement, Methodist Hospitals agreed to pay eligible class members a maximum of $3,000 for economic losses and a separate maximum amount of $300 for lost time.
In their respective settlements, BJC Healthcare and Methodist Hospitals have agreed to also provide settlement class members with two years of identity and credit monitoring services.
Data breach settlements follow a growing trend in litigation, says Iliana Peters, privacy attorney at law firm Polsinelli.
Just five years ago, perhaps only one in five privacy and security incidents reported to regulators resulted in litigation, estimates the former senior adviser to the Department of Health and Human Services’ Office of Civil Rights. Now it’s more like eight out of ten. “This type of litigation also seriously affects cyber insurers and can result in reduced coverage available to entities facing all of these burdens,” Peters laments.
BJC health incident
Court documents filed in Missouri state court allege that on March 6, 2020, cybercriminals gained access to the email accounts of three BJC employees and accessed sensitive information of lawsuit plaintiffs and nearly 288,000 other people, including names, dates of birth, social security numbers. , driver’s license numbers and medical records.
BJC Healthcare reported the breach to HHS OCR on May 5, 2020 as an email hacking incident (see: Incidents associated with cases added to violation count).
Among other claims, the consolidated lawsuit complaint alleged that BJC Healthcare was negligent in protecting health information and personally identifiable information.
The lawsuit also alleged an implied breach of contract and violations of various Missouri state laws.
In addition to cash payments to eligible class members, as part of the proposed settlement, BJC Healthcare has agreed to improve information security for its current and former patients in four different ways. Including:
- Maintain a written information security policy that will be distributed to its staff;
- Conduct mandatory annual cybersecurity training courses, new employee orientation, and periodic training updates as new information security issues arise;
- Maintain a written password policy, requiring appropriate password complexity;
- Implementing multi-factor authentication for remote email access, estimated to cost nearly $2.7 million, including initial implementation and annual maintenance expenses.
Technology lawyer Steven Teppler, chairman of the privacy and security practice at law firm Sterlington PPLC, said the requirement for BJC Healthcare to implement multi-factor authentication as part of its regulation is a positive provision.
However, “implementing multi-factor authentication is one of the most critical core cybersecurity components, and I see requirements in this regard both on behalf of my clients and their customers.”
Violation of Methodist Hospitals
Methodist Hospitals in a breach notification statement, the organization learned of unusual activity in an employee’s email account.
A forensic investigation has determined that two Methodist employees were victims of an email phishing scheme that allowed an unauthorized actor to access their email accounts.
The investigation determined that the affected email accounts contained personal health information, including names, addresses, social security numbers, passport numbers, and medical treatment/diagnosis information.
Court documents filed in the Methodist Hospitals lawsuit allege, among other things, that the organization failed to adequately protect individuals’ PHI and PII, making it vulnerable to compromise.
An Indiana state court judge on June 13 approved a final settlement of $425,000 in the lawsuit. Unlike BJC Healthcare’s proposed settlement, Methodist Hospital’s settlement does not contain provisions requiring the organization to improve the security of its data.
Methodist Hospitals, in its 2019 breach notification statement regarding the incident, said it was reviewing its existing policies and procedures “and implementing additional safeguards to further protect information.”
There has also been an increase in successful settlements in many class action lawsuits filed over major health data breaches, said privacy attorney David Holtzman of consultancy HITprivacy LLC.
“The settlements are attractive because of the high bar [set for] plaintiffs to demonstrate that they suffered measurable harm as a result of the unauthorized disclosure of their personal information,” says Holtzman, also a former senior adviser at HHS OCR.
Many companies and healthcare organizations defending data breach class action lawsuits also find settlements attractive due to the substantial costs and business disruption of mounting a legal defense, as well as of the uncertainty and risk posed by a judgment that they are at fault, he adds.