A settlement has been proposed by Famington, New Mexico-based San Juan Regional Medical Center (SJRMC) in hopes to resolve an ongoing class action lawsuit concerning a data breach in September 202 that involved the PHI of approximately 69,000 individuals.
According to the lawsuit, threat actors had gained access to SJRMC’s network and obtained files containing the personally identifiable information of its patients. The information gathered included full names, Social Security numbers, driver’s license numbers, financial account numbers, passport information, health insurance information, treatment information, diagnoses, medical record numbers, and patient account numbers. The medical center identified that the breach was a result of malware. In response to the breach, SJRMC is offering a year of complementary credit monitoring to affected patients.
On behalf of Jeremy Henderson, a patient at SJRMC, and other individuals who were similarly impacted by the breach, a lawsuit was filed in the name of Henderson, et al. v. San Juan Regional Medical Center. SJRMC was accused of negligence in the case for failing to effectively protect patient data. Even if a HIPAA breach did not result in legal action, the complaint claimed that the absence of adequate protections did. SJRMC decided to settle the case in order to avoid additional legal expenses and the uncertainty of a trial, but it has made no admissions of guilt and disclaimed any responsibility for the cyberattack and data breach. The settlement includes a subclass of persons who were informed by SJRMC that their Social Security, financial account, driver’s license, or passport numbers may have been impermissibly disclosed as well as everyone whose personally identifiable information or protected health information was compromised as a consequence of the cyberattack.
According to the settlement’s conditions, each person impacted by the breach will receive two years of free credit monitoring and identity theft protection services, and the subclass will also be able to file a claim for up to $2,500 in damages for losses sustained as a result of the breach. These losses include out-of-pocket expenses, reimbursement for fees for credit reports, credit monitoring, or other identity-theft insurance products acquired after October 13, 2022, reimbursement at the rate of $17.50 per hour for time lost due to the cyberattack if at least one hour was lost dealing with the consequences of the data breach, and reimbursement for verified monetary losses.