St. Joseph Health Reaches $7.5M Settlement Agreement in Health Care Data Breach

By | April 1, 2016

St. Joseph Health System (SJHS) has reached a settlement in a class action lawsuit for a 2012 health care data breach. SJHS will split a total settlement of $7.5 million, paying class members $242 each.

In addition to the $7.5 million settlement, $3 million has been set aside for patients who suffered from identity theft. These patients may apply for up to $25,000 each. Court documents show that SJHS has invested money in notifying patients of the breach, complying with federal security regulations, and offering free credit monitoring for affected individuals. The health system will also be required to implement new and additional security measures.

The data breach reportedly occurred between 2011 and 2012. It was discovered when Danna Graewingholt, one of the class members, found her protected health information (PHI) was available online via search engine.

The hospital uncovered the breach after Graewingholt notified SJHS’s legal department. Potentially breached information included patients’ names, demographic information, advance directive status, medication allergies, smoking status, blood pressure, diagnoses, lab results, and medical data such as body mass index.

There were potentially 31,802 affected individuals spanning a number of SJHS’s facilities, including The Auxiliary of Mission Hospital Laguna Beach, Saint Joseph Hospital of Orange,

Mission Hospital Regional Medical Center, Petaluma Valley Hospital Auxiliary, Redwood Memorial Hospital of Fortuna, Santa Rosa Memorial Hospital, The Auxiliary of Mission Hospital Mission Viejo, Saint Joseph Hospital of Eureka, Queen of the Valley Medical Center, and St. Jude Hospital.

A group of potentially affected victims filed a lawsuit against the health system. Court documents state that the lawsuit alleged wrongdoing on four accounts: violation of the Confidentiality of Medical Information Act (CMIA), negligence, violation of the California Unfair Competition Law (UCL), and money had and received.

These kinds of class action lawsuits are common in health care data breaches. Last year, patients filed a class action lawsuit against the Office of Personnel Management (OPM), claiming OPM did not adequately protect PHI and did not meet Federal Information Security Management Act guidelines.

UCLA Health also recently had a health care data breach that potentially affected as many as 4.5 million patients, and is facing a class action lawsuit for failing to protect PHI. The class members in this case also allege that UCLA health was negligent in its efforts to notify those potentially affected by the breach in a timely manner.

These cases stress the importance of adequate security measures to protect PHI. However, if data breaches do occur, HIPAA regulation requires that entities notify potentially affected individuals in a timely manner, with stricter reporting requirements for ‘meaningful breaches’ of 500 individuals or more.