McPherson Hospital, a critical access hospital with 25 beds in Kansas, has decided to resolve a class action lawsuit with a $500,000 settlement fund. The lawsuit alleges that the hospital did not apply acceptable and proper safety measures to secure patient information. Based on the lawsuit, if the hospital had implemented those safeguards, it would have been possible to prevent the data breach.
In compliance with HIPAA breach notification law, McPherson Hospital sent notification letters to 19,020 individuals in May 2023 telling them about the access and potential theft of some of their protected health information (PHI) in a ransomware attack in July 2022. The ransomware group gained access to the hospital’s system because a worker took action on a phishing email and exposed his/her credentials. An investigation of the incident and analysis of compromised files confirmed the potential access and theft of patient data on March 15, 2023. Stolen data included names, birth dates, medical treatment data, Social Security numbers, billing details, and medical insurance data. The impacted people were provided free single-bureau credit monitoring services for 12 months.
People impacted by the data breach filed a lawsuit in McPherson County District Court in the Ninth Judicial District of Kansas. McPherson Hospital decided to settle the McPherson Hospital Data Security Incident Litigation without admitting wrongdoing to end the litigation, stop the increase of legal expenses, and avoid the uncertainty of trial.
Class members are eligible to claim as much as $400 for reimbursement of documented ordinary losses, and around 3 hours of lost time valued at $30 per hour. Claims as much as $5,000 may be filed for identity theft and fraudulent account costs and documented extraordinary losses. People who do not file claims for reimbursement of losses may receive $75 cash payments, but the cash awards might be paid pro rata based on the number of claims submitted. All class members will also receive free credit monitoring services for 3 years. The deadline for filing claims is January 29, 2025. The schedule of the final approval hearing is on February 5, 2025.
Image credit: ipopba, AdobeStock
