San Andreas Regional Center has agreed to settle a class action lawsuit that was filed in response to a July 2021 ransomware attack in which hackers gained access to the personal information of more than 57,000 patients
The San Jose, CA-based healthcare provider supports individuals with developmental disabilities through its facilities in the Santa Clara, Santa Cruz, San Benito, and Monterey counties. The ransomware attack occurred on or around July 5, 2021, and prior to encrypting files, the threat actor potentially accessed and exfiltrated sensitive patient data such as names, addresses, dates of birth, telephone numbers, Social Security numbers, email addresses, health plan beneficiary numbers, health insurance information, full-face photos, and medical information. Affected individuals were notified about the cyberattack in August 2021 and were offered complimentary credit monitoring and identity theft protection services.
A lawsuit – Lopez, et al. v. San Andreas Regional Center – was filed in the Superior Court of California in response to the breach alleging the healthcare provider was negligent for failing to implement reasonable cybersecurity measures to protect against ransomware attacks, despite being aware of the high risk of attacks on the healthcare sector. The lawsuit alleged the plaintiff and class members now face a high risk of identity theft and fraud as a result of the data breach and have incurred out-of-pocket expenses and lost time securing their accounts and protecting against the misuse of their personal and protected health information.
San Andreas Regional Center denies all claims related to the data breach but decided to settle the lawsuit to avoid further legal costs and the uncertainty of trial. Under the terms of the proposed settlement, class members are entitled to submit claims of up to $500 for documented ordinary expenses that are reasonably traceable to the data breach, such as bank fees, credit costs, and communication charges, and up to 3 hours of lost time at $20 per hour. Claims of up to $2,500 will be accepted for documented extraordinary losses due to identity theft and fraud.
Individuals wishing to object to or exclude themselves from the proposed settlement have until March 13, 2023, to do so. Claims must be submitted by August 2, 2023. The final approval hearing is scheduled for August 2, 2023. The class is represented by attorneys Michael Anderson Berry of Clayeo C Arnold PC and David k Lietz of Milberg Coleman, Bryson, Phillips Grossman PLLC.
The post San Andreas Regional Center Agrees to Settle 2021 Ransomware Attack Lawsuit appeared first on HIPAA Journal.