LifeBridge Health has agreed to settle a class action lawsuit following a data breach. In March 2018, the healthcare provider discovered a malware infection was providing unauthorized access to their server. However, following the breach individuals affected claimed that LifeBridge Health were negligent and started a class action lawsuit.
Data Breach
The breach came from a malware infection which gave individuals unauthorized access to electronic medical records, patient registration and billing systems. While it was discovered in March 2018 the investigation found this had been ongoing for 18 months. The initial intrusion to the server had occurred in September 2016. The company disclosed that 582, 174 patients had potentially had their information compromised. The information accessed included:
- Names
- Dates of birth
- Addresses
- Diagnoses
- Medications prescribed
- Clinical and treatment information
- Insurance details
- A limited amount of Social Security numbers.
The individuals who started the lawsuit alleged that LifeBridge were negligent as they failed to follow basic security practices. By failing this they claimed LifeBridge violated several privacy protection statutes in Maryland, including Maryland Personal Information Privacy Act, Maryland Social Security Number Privacy Act, and Maryland Consumer Protection Act.
Lawsuit
Within the lawsuit it was alleged that class members had been exposed to serious harm. Additionally, their personal protected health information was now in the hands of identity thieves. This placed them in immediate and ongoing risk of identity theft and fraud. Plaintiffs state they have:
- Suffered monetary losses
- Had financial transactions declined
- Experienced issues with their email accounts
- Fraudulent accounts were created in their names
- And fraudulent claims for unemployment benefits and loans were filed in their name.
Settlement
LifeBridge did not admit to any wrongdoing and have not accepted liability for the incident. However, they choose to settle the lawsuit to avoid further legal costs and the uncertainty of trial. The total value of the settlement is $9.475 million.
Under the terms of the agreement, LifeBridge:
- Has agreed to create an $800,000 fund to cover claims from class members
- Will invest $7.9 million in additional security measures to prevent further data breaches, including:
- Data encryption
- Network monitoring
- Security awareness training
- Asset tracking
- Multi-factor authentication
This is another case that shows the cost of not investing in your businesses privacy and security programs and policies can be significantly more costly. Contact us today to find out how Value Privacy can help your business stay safe.
