Steve Alder reports:
HCA Healthcare Inc. has agreed to settle class action litigation stemming from a July 2023 data breach that was reported to the HHS’ Office for Civil Rights as affecting 11,270,000 patients. The affected individuals had received healthcare services at HCA hospitals and doctors’ offices in 20 U.S. states.
HCA Healthcare was targeted by hackers who accessed and stole data from an external storage location, which was used to automate the formatting of email messages. A database was stolen that contained 27.7 million records. The hackers listed the database for sale when the ransom was not paid. Data compromised in the incident included names, contact information, dates of birth, and appointment information.
Read more at HIPAA Journal.
DataBreaches broke the story of the HCA Healthcare breach in July 2023, and tfollowed up with additional coverage which was referenced in the class action complaint (In re HCA Healthcare, Inc. Data Security Litigation, Case 3:23-cv-00684).
As is often the case in such litigation, HCA Healthcare has not admitted any wrongdoing but has settled the consolidated class action lawsuit. The official settlement website is HCAHealthcareSettlement.com, where consumers can find out if they are eligible to be reimbursed and what documentation may be required. Eligible class members may be entitled to either of the following:
- Credit Monitoring and Insurance Services – One (1) year of the Credit Monitoring and Insurance Services (“CMIS”). CMIS will include credit monitoring, fraud consultation, and identity theft restoration services; AND
- Documented Loss Payment – Settlement Class Members may submit a claim for a Documented Loss payment of up to $5,000 with Reasonable Documentation supporting the loss as a result of the Data Incident.
DataBreaches notes that the settlement agreement also contains a section on HCA’s commitment to improving security, but details are filed under seal.
The total amount of the settlement has not been revealed, but has been estimated at $9M+ by extrapolating from the $3.1 million allocated for attorneys’ fees, which are often one-third of a total settlement amount.
This was not the only settlement involving HCA Healthcare announced this week, however. Courthouse News reported that HCA Healthcare settled a suit by several state attorneys general and the CFPB stemming from HCA Healthcare requiring nurses hired at HCA hospitals to sign a training repayment agreement provision as part of their employment contract. In total, HCA will pay $2.9 million in penalties between settlements in California, Colorado and Nevada.