$295,000 Settlement Proposed by Conway Regional Medical Center to Resolve Data Breach Lawsuit

By | December 12, 2022

Conway Regional Medical Center, a non-profit healthcare system in north central Arkansas, has proposed a $295,000 settlement to resolve a class action lawsuit that was filed on behalf of individuals affected by a 2019 data breach.

The data breach in question occurred in June 2019. Email accounts containing the protected health information of patients were accessed by unauthorized individuals after employees responded to phishing emails. The review of the email accounts revealed they contained patient names, addresses, Social Security numbers, medical information, and health insurance information. Approximately 37,000 patients were affected and had their information exposed.

Following the breach, a lawsuit – Danielle Marshall v. Conway Regional Medical Center Inc – was filed in Faulkner County Circuit Court alleging Conway Regional was negligent for failing to implement appropriate safeguards to protect patient information, and that as a direct result of that negligence, the protected health information of the plaintiff and class members allowed that information to be accessed by criminals. Conway Regional maintains that it had implemented meritorious defenses against phishing and other cyber threats and was prepared to vigorously defend the lawsuit; however, the decision was taken to settle the lawsuit to end the litigation and prevent further legal costs. Conway Regional says the settlement has been proposed to resolve the disputed claims and is not an admission of any lawbreaking or wrongdoing.

Under the terms of the proposed settlement, class members will be eligible to receive two years of identity theft protection services through IDX. Instructions for signing up for those services are detailed in the settlement. In contrast to many settlements that allow claims to be submitted for documented losses, there are some caveats. A claim of up to $850 may be submitted for reimbursement of documented losses, but only by class members who have enrolled in the IDX services that have activated them per the instructions, and if a claim is first submitted through the IDX service and that claim is denied. Before submitting a claim, class members must also exhausted the IDX claim process. If IDX rejects the claim because it was not submitted within the allowed time frame or due to insufficient documentation, class members will not be eligible to claim for reimbursement under the settlement. Class members may also claim up to $40 for lost time fairly traceable to the data breach, independent of any claim for documented losses, and regardless of whether they have signed up for the IDX services.

To sign up for the IDX services, class members must complete the Election form before February 20, 2023. Claims for reimbursement of economic losses and lost time must also be submitted by February 20, 2023. The deadline for exclusion from or objection to the settlement is December 21, 2022. A fairness hearing has been scheduled for February 7, 2023.

The post $295,000 Settlement Proposed by Conway Regional Medical Center to Resolve Data Breach Lawsuit appeared first on HIPAA Journal.