Grays Harbor Community Hospital Agreed to $185,000 Settlement of Ransomware Lawsuit

Grays Harbor Community Hospital and Harbor Medical Group accepted the proposed settlement deal of the class-action lawsuit that the representative plaintiff filed in connection with a ransomware attack in June 2019 that resulted in patient data encryption.

The plaintiff and Grays Harbor bargained with each other to prevent the uncertainty of a trial and the expenses of litigation. The Court didn’t approve of the settlement favoring any party.

The Washington healthcare provider discovered the ransomware attack in June 2019 and turned off its systems to hold off the virus, however, it was quite late as its computer networks had been encrypted already. Grays Harbor created backups of its information in case of such a scenario, nevertheless even the copied files were likewise encrypted during the attack. Due to the ransomware attack, its electronic health record system was unavailable for roughly 2 months.

The attackers required a ransom payment of $1 million for the data decryption keys. Gray’s Harbor possessed an insurance plan that pays for around $1 million, even though it is ambiguous if that insurance policy covered expenditures and paid off the ransom. No matter what, it wasn’t possible to bring back all encrypted information in the attack. The protected health information (PHI) of some patients was not restored.

The lawsuit purported the provider broke a number of laws including the:

  • Washington State Uniform Healthcare Information Act
  • State Constitution’s Right to Privacy
  • Washington State Consumer Privacy Act

The lawsuit further purported that Harbor Medical Group and Grays Harbor Community Hospital failed to take care of patient privacy, breach of implied and express contract, and an invasion of seclusion/ intrusion of privacy.

Harbor Medical Group and Grays Harbor Community Hospital accepted the settlement deal without admission of liability. All claims said in the legal case were denied.

Grays Harbor Community Hospital and Harbor Medical Group offered a settlement deal of $185,000 to pay the claims of the 88,000 patients impacted by the ransomware attack. Impacted patients could file claims as much as $210 per individual to pay out-of-pocket expenditures sustained due to the breach and around three hours of recorded lost time taking care of the consequences of the breach at a fee of $15 per hour.

Claims as much as $2,500 will likewise be accepted for documented other losses sustained that were most probably caused by the ransomware attack. All accessible credit monitoring insurance and identity theft insurance ought to be used up before Grays Harbor will pay for any greater payouts. In case the claims go beyond $185,000 they are going to be paid pro-rata to lower expenses.

Class members have up to July 27, 2020 to not include themselves from the settlement deal or send a complaint. There is a scheduled fairness hearing on August 31, 2020. To obtain a portion of the settlement budget, submit a claim on/or before December 23, 2020.

Right after the ransomware attack, the provider took action to enhance security and invested over $300,000 in information security. $60,000 more is going to be put in on security developments in the following 3 years.

This data breach settlement deal is the second this week. The first settlement deal was offered by UnityPoint Health to take care of a lawsuit over two 2018 phishing-associated data breaches. UnityPoint Health decided to compensate claims for $2.8 million or higher as there’s no limit on claims payments.