BJC Healthcare Agrees To Data Breach Lawsuit Settlement

A class action lawsuit filed against Missouri-based BJC Healthcare has resulted in a settlement. The nonprofit healthcare provider has agreed to create a fund to resolve claims made by class members. The lawsuit comes as a result of a data breach involving the PHI of 287,876 individuals. 

In 2020, BJC discovered suspicious activity on its systems. The healthcare provider discovered that an unauthorized third party had gained access to the hospitals’ email system. An immediate forensic investigation was conducted to determine how the email system had been accessed and what information had been obtained by the malicious actors. The investigation concluded that 3 email accounts had been compromised in March 2020 as a consequence of responses to phishing emails. The information obtained in the attack included full names, date of births, health insurance information, Social Security numbers, driver’s license, and healthcare information. Despite identifying what information was taken, the investigation was unable to determine whether any misuse had taken place. BJC Healthcare reported the data breach to the HHS’ Office for Civil Rights on May 5, 2020 and sent breach notification letters to potentially affected individuals.

A class action lawsuit was then filed on behalf of patients who had their information exposed in the Circuit Court of the City of St. Louis of Missouri against BJC Healthcare. The case initially consisted of 10 counts against the defendants. However, the counts were then limited to 8 including unjust enrichment, breach of contract, negligence, negligence per se, breach of covenant of good faith and fair dealing, vicarious liability, and violations of the Missouri Merchandising Practicing Act (MMPA) and Illinois Consumer Fraud and Deceptive Business Practices Act (ICFA).

Despite no admission of liability or wrongdoing, BJC Healthcare agreed to settle the case due ongoing legal costs and the uncertainty of trial. The hospital has agreed to cover claims made by affected individuals of up to $5,000. For both ordinary and extraordinary costs incurred as a result of the data breach, each affected person may file a claim. In addition, two years of credit monitoring and identity theft protection services will be offered free of charge. BJC Healthcare has established a $2.7 million fund to cover costs related to improving patient information security including multi-factor authentication for its email accounts.