Sturdy Memorial Hospital & North Shore Pain Management Settle Data Breach Lawsuits

By | December 13, 2022

Two healthcare organizations in Massachusetts have chosen to settle class action lawsuits that were filed by patients whose protected health information was stolen in cyberattacks.

Sturdy Memorial Hospital

Sturdy Memorial Hospital in Attleboro, MA, has agreed to settle a lawsuit filed in response to a September 2021 ransomware attack, where the attackers gained access to the data of approximately 60,000 patients, such as names, addresses, dates of birth, Social Security numbers, financial information, and health information. The attackers exfiltrated patient data and threatened to release the information publicly. The hospital chose to pay the ransom.

The lawsuit – Shedd, et al. v. Sturdy Memorial Hospital Inc. – alleged the hospital had maintained patient information in a reckless manner, as the information was stored on a system vulnerable to cyberattacks and the data was not encrypted. The lawsuit alleged the hospital did not follow Federal Trade Commission guidelines and violated Massachusetts laws by delaying sending notification letters to patients for almost 4 months.

Sturdy Memorial Hospital admitted no wrongdoing and chose to settle the lawsuit to avoid ongoing legal costs. Under the terms of the settlement, class members can claim up to $375 for ordinary losses, including out-of-pocket expenses and up to three hours of lost time at $20 per hour. Claims can also be submitted for documented extraordinary losses incurred between February 9 and February 14, 2021, up to a maximum of $5,000. The settlement also includes free credit monitoring services for class members.

Class members have until January 14, 2023, to exclude themselves from or object to the settlement. Claims must be submitted by February 14, 2023. The fairness hearing is scheduled for February 16. 2023.

North Shore Pain Management

North Shore Pain Management, which operates pain management clinics in Beverley and Woburn, MA, and its vendor, Revolve I.T. Inc, have chosen to settle a class action lawsuit filed in response to an April 2020 ransomware attack.

The attackers gained access to its network and exfiltrated patient data prior to encrypting files. The AKO ransomware gang claimed to have stolen 4GB of data, and that data was leaked when the ransom wasn’t paid. The stolen data included patient names, dates of birth, health insurance information, account balances, financial information, diagnosis and treatment information, and for certain patients, ultrasound and MRI images and/or Social Security numbers. 12,472 current and former patients were affected.

North Shore Pain Management and Revolve I.T. maintain they had implemented adequate defenses to protect against cyberattacks and denied any wrongdoing. The decision was taken to settle the lawsuit to avoid further legal costs and the uncertainty of trial.

Under the terms of the settlement, a fund of $200,000 will be created to cover claims from class members for economic losses and lost time related to the data breach. Each class member may claim up to $150 for ordinary economic losses and lost time and claims up to a maximum of $1,500 are permitted for extraordinary losses. The settlement also includes 36 months of credit monitoring services or a $25 payment in lieu of the credit monitoring services and reimbursement of economic losses. Claims will be paid pro rata if the claims total exceeds $200,000.

Class members have until December 14, 2022, to exclude themselves from or object to the settlement. Claims must be submitted by January 13, 2023. The fairness hearing is scheduled for January 10, 2023.

The post Sturdy Memorial Hospital & North Shore Pain Management Settle Data Breach Lawsuits appeared first on HIPAA Journal.