Overlake Hospital Medical Center in Bellevue, WA has offered a settlement to take care of a class-action lawsuit it is facing. Victims of a breach in December 2019 filed legal action due to the compromise of the patients’ demographic data, medical insurance details, and health information.
The breach involved a phishing attack that was found out on December 9, 2019. The investigation showed that unauthorized persons obtained access to the email accounts of some employees. One email account was compromised from December 6, 2019 to December 9, 2019, and the other accounts were compromised on December 9 for a few hours.
The investigation didn’t discover evidence of theft or misuse of patient data, yet it wasn’t possible to exclude unauthorized access to protected health information (PHI) and information exfiltration. The PHI of around 109,000 patients was included in the compromised email accounts.
Impacted people were informed about the breach beginning on February 4, 2020 and Overlake Hospital Medical Center had taken a number of steps to strengthen security, such as using multi-factor authentication, modifying email retention guidelines, and giving more training to workers. Overlake Hospital Medical Center expended $148,590 on developments to reinforce security since the breach happened and has determined to do more changes amounting to $168,000 per annum for the subsequent 3 years.
According to the Richardson V. Overlake Hospital Medical Center lawsuit submitted in the Superior Court of King County in Washington, Overlake Hospital was at fault for failing to avert unauthorized persons from getting systems access. The lawsuit additionally alleged intrusion upon seclusion/invasion of privacy, breach of express contract, breach of confidence breach of implied contract, and breach of fiduciary duty. Though 109,000 people were advised regarding the breach, only 24,000 persons are involved in the class because all other patients didn’t have their PHI breached.
The lawsuit claimed the hospital did not use reasonable safety measures to make sure the privacy of HIPAA-covered data and didn’t deliver ample notice concerning the information breach. Overlake Hospital Medical Center has refused all claims mentioned in the lawsuit and all allegations of wrongdoing. The choice was made to negotiate the lawsuit without admitting liability.
Under the provisions of the settlement, two types of claims could be placed. Class members are allowed to claim around $250 for particular out-of-pocket expenditures accrued due to the breach, which include bank fees, telephone calls, postage expenditures, fuel for local travel, and about three hours of documented time at $20 each hour, provided no less than one full hour was used on mitigations. It is likewise possible to bring back the price of credit report fees, and credit monitoring and identity theft protection services obtained between February 4, 2020 and the day of the Court’s initial acceptance of the agreement.
Claims for extraordinary expenditure repayment can be submitted for approximately $2,500. These claims need to include proof of losses that were more possible than not sustained because of the breach from December 1, 2019 to the ending of the claim period.
A fairness hearing is timetabled for Sept. 10, 2021.