Salinas Valley Memorial Healthcare System based in California has decided to negotiate a class action lawsuit by paying $340,000 to settle claims from patients impacted by the email security breach in 2020.
From April 30, 2020 to June 5, 2020, unauthorized persons were able to access the email accounts of a contractor and four staff members after having responded to phishing emails. Immediate action was undertaken to protect its email environment; however, the attacker(s) had access to email accounts that contain sensitive patient data such as names, medical record numbers, hospital account numbers, dates of service, and other data for 5 weeks.
A patient impacted by the data breach took legal action against Salinas Valley. The plaintiff claimed that Salinas Valley acted improperly with its failure to avoid the attack, didn’t do its legal responsibilities to protect the personal data and protected health information (PHI) of the plaintiff and class members, and broke the California Confidential Medical Information Act, Civil Code §§ 56 et seq.
Salinas Valley states that it was in full compliance with state regulations and did not admit any wrongdoing associated with the data breach; nevertheless, it made a decision to negotiate the lawsuit to stop continuing legal charges and the uncertainty of a trial. Based on the conditions of the proposed arrangement, funding worth $340,000 was created to pay for claims from people impacted by the breach.
All patients who got a breach notification letter from Salinas Valley regarding the breach of their personal data and PHI will be eligible to file a claim for as much as $750 to cover out-of-pocket expenditures and time expended remediating the security breach. Claims are going to be compensated using the fund after deducting attorneys’ service fees, expenditures, and other court-authorized expenses. Claims are going to be compensated pro rata in case the total claims is more than the fund of the settlement. The settlement is not yet approved by the court.
Salina valley has additionally determined to enhance security, thus taking steps such as getting third-party audits and standard penetration tests, using firewalls and access controls, and giving employees regular training on security awareness.
Claims should be filed on or before August 26, 2022. Any person who does not agree to the settlement or would like to take themselves out of the class should do it by August 11, 2022.