San Juan Regional Medical Center (SJRMC) based in Farmington, New Mexico, has presented a settlement to take care of a class action lawsuit associated with a data breach in September 2020 that impacted 68,792 individuals.
On September 8, 2020, the attackers acquired access to the SJRMC system and extracted files with patient data including names, birth dates, Social Security numbers, passport information, driver’s license numbers, financial account numbers, medical insurance data, diagnoses, treatment details, patient account numbers, and medical record numbers. San Juan Regional Medical Center mentioned back then that the incident was due to a malware attack and not a ransomware attack. It provided free credit monitoring services to patients for 12 months.
The lawsuit Henderson, et al. v. San Juan Regional Medical Center was submitted on account of Jeremy Henderson, one of SJRMC’s patients and other patients likewise impacted by the incident. The lawsuit claimed SJRMC was at fault for not sufficiently securing patient information. Although legal action wasn’t undertaken for a HIPAA violation, the lawsuit claimed the insufficiency of proper security measures meant a HIPAA violation.
SJRMC opted to negotiate the lawsuit to avoid more legal expenses and prevent the concern of trial however it did not confess to any wrongdoing nor liability for the attack and information breach. The settlement deal covers all persons who had their personally identifiable information (PII) or protected health information (PHI) compromised due to the cyberattack, along with a subclass of persons who were informed by SJRMC about the potential compromise of their Social Security, passport numbers, driver’s license, or financial account.
According to the conditions of the settlement, all impacted persons are eligible to get two years of free identity theft protection and credit monitoring services,. The subclass can also file a claim for as much as $2,500 as payment for losses sustained because of the breach. The losses consist of repayment of out-of-pocket expenditures, payment for charges on credit reports, credit tracking, or other identity-theft insurance coverage bought after October 13, 2022, payment at $17.50 hourly for a lost time associated with the cyberattack when a minimum of one hour was lost taking care of the consequences of the information breach, and payment for recorded monetary losses.
The final details for rejection or exemption from the negotiation are available on January 9, 2023. All claims should be submitted on February 8, 2023. A fairness hearing for the settlement will be on February 22, 2023.