LifeBridge Health Inc. has agreed to settle a class action lawsuit to resolve claims from patients affected by a data breach that was discovered in 2018. The total value of the settlement is $9.475 million, which includes an $800,000 fund to cover claims from class members.
In March 2018, LifeBridge Health discovered a malware infection that provided unauthorized individuals with access to a server that hosted its electronic medical records, patient registration, and billing systems. The breach investigation determined the initial intrusion occurred 18 months previously in September 2016. The breach was disclosed by LifeBridge Health in May 2018, with the healthcare provider confirming the information of 582,174 patients had potentially been compromised, with the exposed information including names, dates of birth, addresses, diagnoses, medications prescribed, clinical and treatment information, insurance details, and a limited number of Social Security numbers.
A lawsuit – Johnson, et al. v. LifeBridge Health, Inc. – was filed in the Circuit Court for Baltimore City, MD, by the law firm Murphy, Falcon & Murphy on behalf of patients affected by the incident. The two patients named in the lawsuit, Jahima Scott and Darlene Johnson, claimed to have had their identities stolen as a direct result of the breach, with both claiming they were victims of credit card fraud shortly after the data breach occurred.
The lawsuit alleged class members had been exposed to serious harm and that their personal and protected health information was in the hands of identity thieves, which placed them at immediate and ongoing risk of identity theft and fraud. The named plaintiffs claimed to have suffered monetary losses, had financial transactions declined, experienced issues with their email accounts, fraudulent accounts were created in their names, and their identities had been used to file fraudulent claims for unemployment benefits and COVID-19 disaster small business loans.
The lawsuit alleged LifeBridge Health was negligent as it failed to follow basic security practices, which violated several privacy protection statutes in Maryland, including the Maryland Personal Information Protection Act, Maryland Social Security Number Privacy Act, and Maryland Consumer Protection Act.
LifeBridge Health did not admit to any wrongdoing and did not accept liability for the incident, but chose to settle the lawsuit to avoid further legal costs and the uncertainty of trial. Under the terms of the settlement, LifeBridge Health has agreed to create an $800,000 fund to cover claims from class members and will invest $7.9 million in additional security measures to prevent further data breaches, including data encryption, network monitoring, security awareness training, asset tracking, and multi-factor authentication. The remaining $775,000 of the total settlement amount will cover legal fees.
Class members are entitled to submit claims for reimbursement of ordinary and extraordinary losses, including up to 3 hours of lost time at $20 per hour, and a further 2 hours if they suffered extraordinary losses. Claims for ordinary losses of up to $250 per class member can be submitted to cover bank fees, credit monitoring, credit freeze, communication, and other costs, and a claim can be submitted for extraordinary losses up to a maximum of $5,000.
A final approval hearing has been scheduled for October 26, 2022. Claims must be submitted by February 1, 2023.
The post LifeBridge Health Agrees to $9.5 Million Settlement to Resolve 2016 Data Breach Claims appeared first on HIPAA Journal.