A class action lawsuit against California-based Salinas Valley Memorial Healthcare has resulted in a $340,000 settlement. The healthcare provider will establish the fund to resolve claims made by patients who had their PHI exposed in a breach in 2020.
After discovering an unauthorized third-party had gained access to four employee email accounts and a contractor via phishing emails, Salinas Valley Memorial Healthcare immediately conducted a comprehensive forensic investigation to determine what information had been exfiltrated by the malicious actor. The investigation concluded that information regarding full names, hospital account numbers, medical record numbers, dates of service, and other information was obtained. Individuals affected by the breach were then sent a breach notification letter detailing the nature of the attack and what information had been gathered.
After issuing the notification letters, a class action lawsuit was filed against Salinas Valley Memorial Healthcare on behalf of the affected individuals. The plaintiff claimed that Salinas Valley breached its legal responsibilities by failing to stop the breach, failing to secure the plaintiff’s and the class members’ personal and protected health information, and was in violation of the California Confidential Medical Information Act. Despite these claims, Salinas Valley claims full comp;iance with the state laws and deny any wrongdoing with regards to the breach. However, the healthcare provider has chosen to settle the case due to legal costs and the uncertainty of trial.
Under the terms of the agreement, Salinas Valley has established a fund of $340,000 to cover claims made by individuals who had their PHI exposed in the breach. All affected individuals who received a breach notification letter from the healthcare provider regarding the exposure of their PHI will be qualified to request up to $750 for time spent mitigating the impact of the breach and out-of-pocket costs. Attorney fees, expenditures, and other court-approved charges will be subtracted before claims are paid out of the fund. If the total amount of the claims exceeds the settlement money, they will be paid out proportionately. Salinas Valley Memorial Healthcare has also committed to strengthening their cybersecurity to mitigate the risk of an attack of this nature occurring again. These include maintaining firewalls and access restrictions, undertaking third-party audits and frequent penetration testing, and regularly educating the employees about security issues.