Settling of Two Data Breach Lawsuits and Update on Christ Hospital Website Lawsuit

San Andreas Regional Center Offers to Settle 2021 Ransomware Attack Lawsuit

San Andreas Regional Center has decided to resolve a class action lawsuit associated with a July 2021 ransomware attack whereby hackers acquired access to the personal data of over 57,000 individuals.

The healthcare provider based in San Jose, CA helps persons with developmental handicaps in its centers in the Santa Cruz, Santa Clara, Monterey, and San Benito counties. The ransomware attack happened on or about July 5, 2021, and before file encryption, the threat actor likely viewed and extracted sensitive patient records like names, addresses, email addresses, birth dates, phone numbers, Social Security numbers, health plan beneficiary numbers, medical insurance data, full-face pictures, and medical data. Impacted persons had been informed about the cyberattack last August 2021 and they received free identity theft protection and credit monitoring services.

The Lopez, et al. v. San Andreas Regional Center lawsuit was filed in the Superior Court of California in association with the breach claiming that the healthcare company was negligent for not using appropriate cybersecurity procedures to defend against ransomware attacks, in spite of knowing the substantial risk of attacks on the healthcare industry. The lawsuit claimed that the plaintiff and class members currently face a substantial risk of identity theft and fraudulence due to the data breach and have sustained out-of-pocket expenditures and lost time safe-guarding their accounts and securing against the improper use of their personal data and protected health information (PHI).

San Andreas Regional Center rejects all claims associated with the data breach however made a decision to negotiate the lawsuit to prevent additional legal expenses and the possibility of trial. According to the conditions of the proposed negotiation, class members are eligible to file claims of as much as $500 for documented regular expenditures that are reasonably trackable to the data breach, for example, bank charges, credit expenses, and communication expenses, and around 3 hours of lost time worth $20 an hour. Claims of as much as $2,500 will be approved for documented extraordinary costs because of identity theft and fraud.

Affected individuals wanting to refuse to or not include themselves in the offered settlement can do so until March 13, 2023. Claims should be filed by August 2, 2023. The hearing for the final approval of the proposed settlement is scheduled on August 2, 2023. The lawyers in this class-action lawsuit are attorneys David k Lietz of Milberg Coleman, Bryson, Phillips Grossman PLLC and Michael Anderson Berry of Clayeo C Arnold PC.

Katherine Shaw Bethea Hospital Offers to Pay $380K to Settle Data Breach Lawsuit

Katherine Shaw Bethea (KSB) Hospital based in Dixon, IL, has offered to pay $380,000 to settle claims associated with a data breach that happened at a business associate of the hospital on September 2021. Magnet Solutions is a healthcare accounts receivables service provider located in Scottsbluff, NE. KSB Hospital uses the billing-related services of Magnet Solutions.

From September 17 to September 20, 2021, Magnet Solutions prepared and sent by mail billing statements to the patients of KSB. Because of a software malfunction, the billing statements were mailed to the wrong persons. The statements contained names, names of treating doctors, encounter numbers, dates and locations of service. Based on the breach notice sent to the HHS’ Office for Civil Rights, the data breach impacted 1,553 persons. Magnet Solutions informed the affected individuals about the breach on November 2021 and offered them free credit monitoring and identity theft protection services.

The John Doe, et al. v. Katherine Shaw Bethea Hospital, et al lawsuit claims the impermissible disclosure of his billing statements to other individuals through the mail and web portals. Allegedly, those statements held very sensitive data concerning medical treatments received at KSB Hospital. The lawsuit claimed violations of Illinois statutes and government laws and a breach of fiduciary duty.

KSB Hospital along with KSB Medical Group, the operator of the hospital, did not admit to any wrongdoing yet opted to resolve the lawsuit. The class is composed of all persons who got a notification letter regarding the data breach. Magnet Solutions sent the breach notification letter on behalf of KSB Medical Group letting them know about the impermissible disclosure of their information in September 2021. Based on the stipulations of the offered settlement, class members are eligible to file claims to receive cash amounting to a maximum of $250. When the submitted claims have a total value higher than the settlement amount, the recipients are going to be paid pro rata.

Class members who would like to object to or not include themselves in the resolution of the lawsuit can do so until February 8, 2023. Those who wish to file claims for cash payment must do so on or before March 22, 2023. The hearing for the final approval of the proposed settlement is scheduled on March 28, 2023.

Update on Lawsuit Filed Against Christ Hospital Website

At the beginning of January, a lawsuit had been filed against The Christ Hospital based in Cincinnati, OH, due to the use of a third-party tracking code on its website that transmitted sensitive patient information to Meta plus other third parties, with no patient consent.

A number of healthcare providers had reported similar data breaches associated with tracking technologies that have led to the impermissible disclosure of patient data. Thus, the HHS’ Office for Civil Rights issued instructions with regards to adding tracking technologies on hospital sites, stating that these technologies can potentially violate HIPAA Regulations when using these technologies without patient consent or signing a business associate agreement. The Christ Hospital doesn’t seem to have reported any such data breach at this point.

On January 10, 2023, attorney James Eugene Burke III filed the Doe v. The Christ Hospital lawsuit in Hamilton County Court although it is already transferred to federal court. As per the lawsuit, The Christ Hospital website urges patients to use its search engine to locate doctors in its network, and patients could book visits with those doctors on the web. The hospital website purportedly contains Meta Pixel as well as other third-party code, which gathers data regarding the activities of site users and sends that data to Meta and other entities, with the data possibly utilized to target patients with ads on Facebook or other Meta websites.

The lawsuit claims patients who were searching for mental health care, cancer treatments, and even sexually transmitted infections can be served ads linked to their queries on the portal. The lawsuit additionally claims the MyChart patient website has a third-party code, which can possibly send communications with doctors to third parties with no patient consent violating the HIPAA Rules.

The plaintiff in the lawsuit is named Jane Doe and wants class-action status for all patients affected in the same way. The lawsuit wants a trial by jury, punitive charges, and damages over $25,000. It is claimed by The Christ Hospital that it is not offering patient data for sale to Meta or any other third party. The hospital is still looking into the lawsuit claims.

 

About Christine Garcia 1297 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA