DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Class action lawsuits following breaches in the medical sector: do they help or make things worse?

Posted on January 28, 2023 by Dissent

In their predictions for 2023, the very first prediction by Mary T. Costigan, Jason C. Gavejian & Joseph J. Lazzarotti of JacksonLewis involved healthcare and medical data security and tracking:

2023 will see a significant increase in the number of lawsuits and perhaps OCR compliance reviews relating to medical information privacy and HIPAA, including new developments such as pixel and other tracking technologies. We will see more regulation of health apps and websites as the necessities and advantages of remote health care that were brought by the pandemic are considered further.

DataBreaches concurs in their prediction about a significant increase in the number of lawsuits. As to compliance reviews, they may increase, but DataBreaches is not optimistic that enforcement actions will actually increase, although we certainly hope they will.

But the lawsuits have already been increasing dramatically in the past few years, it seems. If memory hasn’t totally failed me, it used to take years before a lawsuit stemming from a healthcare entity data breach would settle. Nowadays, there seems to be a much shorter time frame from breach disclosure to lawsuit filed to settlement.

The following are just a few of the many potential class action lawsuits filed or settled recently.  In most of these lawsuits,  plaintiffs generally are not alleging any concrete harm such as identity theft or fraud.  And of course, in all of the settlements, the defendants deny any and all allegations but state that they are settling to avoid the costs of litigation, etc.

But do these lawsuits promote better data security?  Do entities actually think, “Whoa, we’d better invest more in protecting data and monitoring business associates or we’ll get sued like they did?”  Or do they think that their insurance will cover most litigation expenses and that is still cheaper than the cost of developing and implementing better data security?

Read more about some of the lawsuits, below, and see what you think.

Katherine Shaw Bethea Hospital: $380k Settlement

Katherine Shaw Bethea Hospital agreed to pay $380,000 to resolve claims it failed to prevent a data breach in September 2021.  If you do not remember that incident at all, it involved the disclosure of patient information to other patients via mailings and an online portal. Notifications were made by Magnet Solutions, and the incident was reported to HHS as affecting 1,553 patients.  The case was Doe, et al. v. Katherine Shaw Bethea Hospital, et al., Case No. 2021L00026, in the Circuit Court of Illinois for the 15th Judicial Circuit, and the settlement site is KSBSettlement.com.  It does not appear to include any provisions for any enhancements in security or monitoring or auditing of business associates or data protection. Read more at TopClassActions.

Logan Health Medical Center: $4.3m Settlement

Logan Health Medical Center settled claims stemming from a  2021 hacking incident that potentially affected 213,543 patients and employees. This was the second breach-related lawsuit settled by the Montana provider in less than three years. Prior to rebranding from Kalispell Regional Healthcare in May 2021, the health system reported an undetected phishing attack in 2019 that led to a monthslong data compromise for 130,000 patients.

This case is Tafelski, et al. v. Logan Health Medical Center, Case No. ADV-22-0108 in the Montana 8th Judicial District Court for Cascade County. The settlement site is loganhealthsettlement.com. Read more at TopClassActions.

Paragraph 68 of the settlement reads:

Business Practice Changes. Logan Health agrees to provide Class Counsel information concerning the remedial actions that it has taken, began or planned since the Data Security Incident as part of its ongoing efforts, to enhance, improve, and strengthen its cybersecurity training and awareness programs, data security policies, security measures, restrictions to accessing Personal Information, and its monitoring and response capabilities.

No other references were found in the settlement agreement to any specific improvements or changes in security measures.

San Andreas Regional Center: Undisclosed Amount

According to plaintiffs in the class action lawsuit, San Andreas Regional Center failed to protect consumer data through reasonable cybersecurity measures. The center reported experiencing a ransomware attack in July 2021 that affected more than 57,000 patients.

The case is Lopez, et al. v. San Andreas Regional Center, Case No. 21CV386748, in the California Superior Court for Santa Clara County. The settlement site is sarcdatasettlement.com.  Read more at TopClassActions

Paragraph of the settlement agreement reads:

Remedial Measures/Security Enhancements. Plaintiffs have received assurances that SARC has implemented or will implement certain reasonable steps to adequately secure its systems and environments, including taking the steps listed in Exhibit 1 to Plaintiffs’ Unopposed
Motion for Preliminary Approval of Class Action Settlement (the confidential declaration agreed SARC will pay costs associated with these security-related measures separate and apart from the other settlement benefits described in this Settlement Agreement. Exhibit 1 will be filed under seal.

Well, that sounds a bit more hopeful.

As to the lawyers’ predictions about lawsuits stemming from Meta pixel tracking, a number of those have already been filed, and DataBreaches anticipates many more will be filed. A recent filing, Doe v. The Christ Hospital in Ohio is somewhat more detailed than many lawsuits as it includes images of highlighted source code showing the problems.

 

Related posts:

  • Updating: CaptureRx incident impacted more than 2.4 million. List of Entities.
Category: Breach IncidentsCommentaries and AnalysesExposureHackHealth DataMalwareU.S.

Post navigation

← Jm: South East Regional Health Authority victim of ransomware attack
Multiple Vulnerabilities Found In Healthcare Software OpenEMR →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.