A class action lawsuit has been settled in the Harris County District Court in Texas involving the Methodist Hospitals Inc. The settlement comes as a result of a major data breach involving the unauthorized disclosure of sensitive patient information affecting more than 68,000 patients.
The breach of patient data was discovered in June, 2019. After detecting suspicious activity in an employee email account, the organization discovered that an unauthorized third party had gained access to the account. Upon discovery, a comprehensive forensic investigation was conducted by the HHS’ OCR to determine how the email had been accessed, how it was used, and whether patient data had been stolen. The investigation determined that two employee emails had been accessed due to an employee responding to phishing emails. The first email account is said to have been accessed between March 13, 2019 to June 12, 2019, and the second account was accessed between June 12, 2019 to July 8, 2019. The malicious actors potentially recovered information such as names, date of births, addresses, Social Security numbers, usernames, passwords, payment card information, driver’s license numbers, and Medicaid/Medicare information.
In the wake of the data breach, plaintiffs James Jones and other members of the class alleged that the Methodist Hospitals Inc. were negligent for insufficiently protecting the health information of their clients. As a result, the plaintiffs contend that they have suffered harm. Despite denying any wrongdoing, the Methodist Hospitals Inc. have agreed to a settlement of $425,000 to avoid additional legal fees and the uncertainty of trial.
Furthermore, the organization will offer 2 years of credit monitoring and identity theft resolution services to affected individuals free of charge. The Method Hospital Inc. is updating their policies and procedures and will be putting further safeguards in place to strengthen the security against later phishing attempts. It is recommended that all impacted individuals monitor their accounts’ statements for suspicious activity.