San Juan Regional Medical Center (SJRMC) in Farmington, New Mexico, has proposed a settlement to resolve a class action lawsuit filed in response to a September 2020 data breach that affected 68,792 patients.
On September 8, 2020, hackers gained access to the SJRMC network and exfiltrated files that contained patient information such as names, dates of birth, Social Security numbers, driver’s license numbers, passport information, financial account numbers, health insurance information, diagnoses, treatment information, medical record numbers, and patient account numbers. San Juan Regional Medical Center stated at the time that this was a malware, rather than a ransomware attack. Complimentary credit monitoring services were offered to patients for a period of 12 months.
A lawsuit – Henderson, et al. v. San Juan Regional Medical Center – was filed on behalf of Jeremy Henderson, a patient of SJRMC and other patients similarly affected by the breach. The lawsuit alleged SJRMC was negligent for failing to adequately secure patient data. While legal action was not taken over a HIPAA violation, the lawsuit alleged the lack of appropriate safeguards constituted a HIPAA violation.
SJRMC chose to settle the lawsuit to prevent further legal costs and avoid the uncertainty of trial but has admitted no wrongdoing and accepts no liability for the cyberattack and data breach. The settlement covers all individuals whose personally identifiable information or protected health information was compromised as a result of the cyberattack, as well as a subclass of individuals who were notified by SJRMC that their Social Security, financial account, driver’s license, or passport numbers had potentially been compromised.
Under the terms of the settlement, all affected individuals are entitled to receive two years of complimentary credit monitoring and identity theft protection services, with the subclass also entitled to submit a claim for up to $2,500 as compensation for losses suffered in response to the breach. Those losses include reimbursement of out-of-pocket expenses, compensation for fees for credit reports, credit monitoring, or other identity-theft insurance products purchased after October 13, 2022, compensation at $17.50 per hour for lost time related to the cyberattack if at least one hour was lost dealing with the effects of the data breach, and compensation for documented monetary losses.
The final data for objection to or exclusion from the settlement is January 9, 2023. All claims must be submitted by February 8, 2023. A fairness hearing for the settlement has been scheduled for February 22, 2023.
The post San Juan Regional Medical Center Settles Data Breach Lawsuit appeared first on HIPAA Journal.