A settlement proposed by Rehoboth McKinley Christian Health Care Services to resolve claims related to February 2021 cyberattack has been approved by a New Mexico federal judge. The settlement will compensate affected individuals for lost time and out-of-pocket expenses incurred in response to the data breach up to a maximum of $4,000 per person.
Rehoboth McKinley Christian Health Care Services operates a 60-bed acute care hospital and outpatient clinics and provides home health care services in New Mexico and Arizona. In February 2021, a security breach was detected, with the investigation revealing unauthorized individuals had access to its network from January 21 to February 5, 2021, during which time they had access to the protected health information of approximately 191,000 patients, including names, contact information, Social Security numbers, medical information, and health insurance information. Patients were notified about the data breach in May 2021.
In June 2021, a lawsuit – Charlie et al. v. Rehoboth McKinley Christian Health Care Services – was filed on behalf of Alicia Charlie, Leona Garcia Lacey, Darrell Tsosie, and a minor child, represented by his guardian Gary Hicks. The lawsuit alleged Rehoboth McKinley Christian Health Care Services had failed to implement appropriate safeguards to prevent unauthorized access to their protected health information and also unnecessarily delayed issuing notifications to affected individuals.
The lawsuit alleged Rehoboth McKinley Christian Health Care Services violated New Mexico and Arizona consumer protection statutes, and included claims of negligence, intrusion upon seclusion, breach of implied contract, and breach of fiduciary duty, although the claims for intrusion upon seclusion, breach of implied contract, and a violation of the Arizona Consumer Fraud Act were rejected. Rehoboth McKinley Christian Health Care Services had argued that there was no actionable duty to protect the plaintiffs’ data, but U.S. District Court Judge Steven C. Yarbrough ruled that Rehoboth McKinley Christian Health Care Services owed the plaintiffs a duty of ordinary care concerning the storage of their private information and was unable to demonstrate that recovery of the lost time in response to the breach was not permitted under state law.
Under the terms of the settlement, the 191,009 individuals in the class may submit claims for up to $500 to recover ordinary out-of-pocket expenses, which can include up to 4 hours of lost time at $15 per hour. Ordinary expenses include bank fees, long-distance phone charges, cell phone and data charges, postage, gasoline for local travel, credit report fees, and credit monitoring and identity theft insurance services. Claims may also be submitted for documented extraordinary out-of-pocket expenses up to a maximum of $3,500. In contrast to many settlements which are paid pro rata based on the number of claims, this settlement will cover the full $4,000 for all class members. Class members will also be provided with 2 years of complimentary credit monitoring services. Rehoboth McKinley Christian Health Care Services has also agreed to enhance data security. A final fairness hearing has been scheduled for May 24, 2022.
The post Rehoboth McKinley Christian Health Care Patients to Be Compensated Up to $4,000 for Data Breach appeared first on HIPAA Journal.