Email Threat Protection , Fraud Management & Cybercrime , Healthcare
Settlements Reached In 2 Large Healthcare Hack Lawsuits
Experts: Class Actions Filed in Wake of Big Data Breaches Keep GrowingSettlements in class action lawsuits filed in the aftermath of two separate major breaches serve as the latest examples of threats and risks involving email hacks - as well as underlining the threat of litigation in the wake of such incidents.
See Also: NHS Ransomware Attack: Healthcare Industry Infrastructures Are Critical
The settlements include a multimillion-dollar settlement in a consolidated class action lawsuit against Missouri-based BJC Healthcare, launched in the wake of a 2020 email phishing incident affecting the protected health information, including 288,000 individuals.
The proposed settlement calls for the non-profit healthcare organization to pay eligible class members up to $250 each for ordinary out-of-pocket expenses resulting from the incident, as well as up to $5,000 each for their documented extraordinary out-of-pocket losses tied to the breach.
The proposed settlement also calls for BJC Healthcare to improve its data security program, including implementing and maintaining multifactor authentication for remote email access. In all, the hospital system estimates the settlement will cost it nearly $2.7 million.
The other legal action is an approved $425,000 settlement in a class action lawsuit against Indiana-based Methodist Hospitals following an email hacking incident reported to federal regulators in 2019 as affecting more than 68,000 individuals.
In that settlement, Methodist Hospitals agreed to pay eligible class members a maximum of $3,000 for economic losses and a separate maximum amount of $300 for lost time.
In their respective settlements, both BJC Healthcare and Methodist Hospitals agreed to also offer settlement class members two-years of identity and credit monitoring services.
The data breach settlements follow a growing litigation trend, says privacy attorney Iliana Peters of the law firm Polsinelli.
As recently as five years ago, maybe only one in five privacy and security incidents reported to regulators resulted in litigation, estimates the former senior adviser at the Department of Health and Human Services' Office for Civil Rights. Now, it's more like eight out of ten. "This type of litigation is seriously affecting cyber insurers, as well, and may result in less coverage available to entities with all of these burdens to confront," Peters laments.
BJC Healthcare Incident
Court documents filed Missouri state court allege that on March 6, 2020, cybercriminals gained access to the email accounts of three BJC employees and accessed the sensitive information of the lawsuit's plaintiffs and nearly 288,000 other individuals, including names, dates of birth, Social Security numbers, drivers’ license numbers, and medical records.
BJC Healthcare reported the breach to the HHS OCR on May 5, 2020 as an email hacking incident (see: Business Associate Incidents Added to Breach Tally).
Among other claims, the consolidated lawsuit complaint alleged BJC Healthcare was negligent in safeguard health information and personally identifiable information.
The lawsuit also alleged breach of implied contract and violations of various Missouri state laws.
Security Enhancements
In addition to cash payments to eligible class members, under the proposed settlement, BJC Healthcare has agreed to improve security of its current and former patients’ information through four different means. That includes:
- Maintaining a written information security policy that will be distributed to its workforce;
- Conducting annual mandatory cybersecurity training classes, new hire orientation, and periodic training updates as new information security issues arise;
- Maintaining a written password policy, requiring appropriate password complexity;
- Implementing multifactor authentication for remote access to email, estimated to cost nearly $2.7 million, including initial implementation and annual maintenance expenses.
Technology attorney Steven Teppler, chair of the privacy and security practice of law firm Sterlington PPLC says the requirement for BJC Healthcare to implement multifactor authentication as part of its settlement is a positive provision.
However, "implementation of multifactor authentication is one of the most essential basic cyber security cybersecurity components, and I see requirements for this both on behalf of my clients as well as from their clients."
Methodist Hospitals Breach
Methodist Hospitals in a breach notification statement the organization learned of unusual activity in an employee’s email account.
A forensic investigation determined that two Methodist employees fell victim to an email phishing scheme that allowed an unauthorized actor to gain access to their email accounts.
The investigation determined that the affected email accounts contained PHI including names, addresses, Social Security numbers, passport numbers and medical treatment/diagnosis information.
Court documents filed in the Methodist Hospitals lawsuit alleges, among other claims, that the organization failed to adequately protect individuals' PHI and PII, leaving it vulnerable to compromises.
A judge in Indiana state court approved on June 13 a $425,000 final settlement in the lawsuit. Unlike the proposed BJC Healthcare settlement, the Methodist Hospital settlement does not contain provisions calling for the organization to improve its data security.
Methodist Hospitals in its 2019 breach notification statement about the incident said it was reviewing its existing policies and procedures "and implementing additional safeguards to further protect information."
Litigation trends
There has also been an uptick in settlements being reached in many of the class action lawsuits filed in the wake of major health data breaches, says privacy attorney David Holtzman of the consulting firm HITprivacy LLC.
"Settlements are attractive because of the high bar [set for] plaintiffs to demonstrate they suffered measurable harm because of the unauthorized disclosure of their personal information," says Holtzman, also a former senior adviser at HHS OCR.
Many businesses and healthcare organizations defending against class action data breach litigation also find settlements appealing because of the substantial cost and business disruption from mounting a legal defense, as well as the uncertainty and risk posed by a judgement that they are at fault, he adds.