Settlement Reached in Community Health Systems Breach SuitUnder Proposal, Those Affected Would Be Eligible to Receive Payments
See Also: HIPAA Audits: A Revised Game Plan
The settlement awaits final approval by a federal court in Alabama, which will hold a hearing on the matter in August, according to a statement on the settlement's claims administrator website.
A forensics investigation following the cyberattack determined that an "advanced persistent threat group originating from China used highly sophisticated malware and technology to attack the company's systems," according to CHS' special filing to the U.S. Securities and Exchange Commission in August 2014 about the incident.
Plaintiffs in the case, who were treated at CHS-operated hospitals, alleged that CHS failed to implement and follow basic security procedures to safeguard their personal information. They argued that the healthcare organization violated various state consumer protection and data breach notification laws as well as the Fair Credit Reporting Act, according to the claims administrator website.
The lawsuit sought compensation for those who allegedly had losses as a result of the security incident, the site explains. CHS denied all of the plaintiffs' claims and said "it did not do anything wrong," it adds.
Franklin, Tenn.-based CHS owns, operates or leases 110 hospitals in 19 states with approximately 18,000 licensed beds, according to the company's website.
Neither CHS, its legal counsel, nor an attorney for the plaintiffs immediately responded to an Information Security Media Group request for comment.
Under the terms of the proposed settlement, class members are eligible to each receive up to $250 to reimburse them for their out-of-pocket expenses.
Those expenses include credit and identity monitoring services that were purchased between Aug. 18, 2014, and Aug. 1, 2019; up to five hours of documented lost time spent dealing with the security incident or identity fraud allegedly resulting from the incident calculated at the rate of $15 per hour; and other incidental expenses attributable to the security incident, including payments for credit freezes, unreimbursed overdraft fees, unreimbursed charges related to unavailability of funds, unreimbursed late fees and long distance telephone charges.
In addition, class members who had out-of-pocket losses attributable to actual identity fraud and/or identity theft that allegedly occurred as a result of the security incident are eligible to make a claim for reimbursement of up to $5,000.
Under the settlement agreement, the total amount of claims paid is capped at $3.1 million, according to the claims administrator website.
Many class action lawsuits stemming from data breaches are dismissed by the courts and settlements are still relatively uncommon.
"The dividing line between sustaining a successful lawsuit or convincing an organization to agree to a monetary settlement is whether the consumers can show they incurred some financial loss as a result of the breach," says privacy attorney David Holtzman, vice president of compliance at security consultancy CynergisTek.
While some judges have demanded that consumers must show direct actual harm as a result of a breach in order to succeed in their legal action, others "have adopted a presumption that harm occurred by exposing the consumers to the threat of financial fraud and identity theft" and concluded that consumers should be compensated for the costs incurred to prevent or mitigate the threat, Holtzman says.
Commenting on why CHS agreed to settle this particular case, privacy attorney Iliana Peters of the law firm Polsinelli notes: "It's likely that CHS balanced the desire to be good data stewards and respond to patients' concerns with the desire to avoid additional litigation in favor of a settlement that provides protection for affected patients. This is a very creative class action settlement that attempts to address the most difficult issue in data breaches - specifically, how to reimburse actual harm to the individuals affected, given it is extremely difficult to quantify such harm in many, if not most, cases."
Other noteworthy settlements of health data breach lawsuits include:
- A $115 million settlement reached in 2018 in the consolidated class action lawsuit against health insurer Anthem stemming from a cyberattack revealed in February 2015 that affected nearly 79 million individuals. Although the settlement is the largest ever recorded for a class-action lawsuit filed over a data breach, most victims were not expected to receive money. Most of the settlement is being used to fund two more years of credit monitoring and fraud resolution services for those individuals impacted. About 13 percent of the fund has been reserved for cash reimbursements for any victims who paid out of pocket for security monitoring services.
- A 2018 settlement of a class action lawsuit against Alabama-based Flowers Hospital, called for $150,000 in relief for more than 1,200 individuals affected by a breach involving a former lab worker who was convicted of identity theft that led to federal tax refund fraud.
- A 2013 settlement for $3 million of a class action lawsuit against AvMed, a health plan company, stemming from a 2009 data breach. The settlement included payments to 460,000 individuals of up to $30 each, representing what AvMed should have spent on protecting data. In addition, individuals who were victims of identity theft as a result of the breach could submit claims to be reimbursed for their monetary losses.
Sharing Regulatory Penalties
Federal regulators have struggled with how to provide compensation to those affected by health data breaches, Peters says.
The HITECH Act of 2009 included a provision calling for the Department of Health and Human Services' Office for Civil Rights to share money collected from HIPAA settlements and penalties with breach victims. While that rulemaking has for years appeared on OCR's to-do list, it has yet to materialize (see: Sharing HIPAA Fined with Victims: Will It Ever Happen?).
"While I think there are some interesting cases addressing breaches in different contexts and affecting individuals is very specific ways ... I note that even OCR has been trying to better understand how to quantify harm resulting from breaches as part of the rulemaking effort pursuant to the HITECH Act, which requires that OCR share penalties with 'harmed individuals,'" Peters says.