Community Health Systems’ (CHS) is offering compensation to its patients for the theft of their protected health information (PHI) during a cyberattack in 2014. Community Health Systems Tennessee is one of the biggest healthcare systems managing more than 200 hospitals in the U.S.
In 2014, CHS found that malware was installed on its systems, which allowed unauthorized persons to access patient data from April to June 2014. It is believed that people behind the cyberattack were threat actors located in China.
The attackers used an advanced variant of malware for the sole intention of acquiring sensitive data. Upon investigation of the breach, it was confirmed that patient information such as names, addresses, telephone numbers, birth dates, and Social Security numbers were exfiltrated. The attackers were able to steal the PHI of 4.5 million patients.
Back in 2014, it was the biggest healthcare data breach reported to the Department of Health and Human Services’ Office for Civil Rights. It is still one of the top six biggest healthcare data breaches ever.
After the breach, patients filed many lawsuits seeking compensation for their stolen personal data. The lawsuits were combined into just one lawsuit, which made it through the attempts of CHS for case dismissal. Now, the case reached a settlement.
The settlement states two payment options for breach victims. Persons who can show that they have sustained out-of-pocket costs because of the breach and/or can present proof of time lost protecting their accounts, can assert around $250 in settlement. Persons who sustained identity theft or fraud because of the breach can get around $5,000 in damages
Legal fees amounting to $900,000 were also covered by the settlement agreement in addition to a payment of $3,500 for every representative class member.
To be eligible for payment, victims should submit a compensation claim by August 1, 2019. Persons who do not agree to the settlement and those who want to submit an objection can notify CHS until May 18.
The settlement still needs to be evaluated for justness and sanctioned by a judge. A hearing was scheduled on August 13, 2019.