The San Juan Regional Medical Center (SJRMC) has proposed a settlement to a class-action lawsuit. The lawsuit, Henderson et al. vs San Juan Regional Medical Center, concerned a data breach that affected 68,792 patients.
On September 8, 2020, the New Mexico-based medical center was targeted by hackers who subsequently gained access to their network. While on the network, the hackers accessed files that contained private patient information such as names, dates of birth, Social Security Numbers, passport information, bank account numbers, health insurance information and medical data. Upon detection of the attack, SJRMC offered the affected patients 12 months of complimentary credit monitoring.
However, the lawsuit – filed on behalf of Jeremy Henderson and other patients – alleges that the medical center was negligent in its duty to protect patient data. Though the lawsuit was not filed over a HIPAA violation, it still contests that the lack of security violated HIPAA. The lawsuit also alleges that SRJMC took too long to notify affected individuals about the breach; Henderson was not notified that his information was accessed for more than a year after the attack occurred.
SRJMC has offered to settle the case out of court, though has done so without admitting wrongdoing or accepting liability for the data breach. The settlement covers all patients whose identifiable information was accessed during the attack, as well as those whose Social Security, financial account, driver’s license, or passport numbers had potentially been compromised.
Each of the affected individuals can receive two further years of complimentary credit monitoring alongside identity theft protection services. They are also able to claim up to $2,500 in compensation for losses related to the breach (such as fees for credit reports, credit monitoring services and identity-theft insurance premiums). They may also claim up to $17.50 an hour for lost time spent dealing with the effects of the breach.
Those involved in the lawsuit have until January 9, 2023 to object or ask to be excluded from the settlement. Claims must be submitted by February 8, 2023, and a fairness hearing is scheduled for February 22, 2023.