Rehoboth Mckinley Christian Health Care Services (“RMCHCS”) in New Mexico has reportedly settled litigation stemming from a ransomware attack that DataBreaches first reported in February 2021. Although Conti ransomware threat actors had added the health care service to their leak site and leaked some patients’ protected health information as proof of claims, there was nothing disclosed by RMCHCS at the time.
On May 19, the service posted a notice on its website and notified 209,280 patients. Their notification did not address whether they had paid any ransom or not.
According to the settlement terms reported by Top Class Actions, RMCHCS admits no wrongdoing. No total settlement amount has been disclosed. Class members can receive up to $500 for “ordinary” data breach losses including bank fees, communication expenses, credit-related costs, and up to four hours of lost time at a rate of $15 per hour. Class members who experienced any “extraordinary” data breach expenses, including unreimbursed monetary losses caused by identity theft or fraud, are eligible to receive an additional $3,500 in reimbursement if they have supporting documentation.
The case is Charlie, et al. v. Rehoboth McKinley Christian Health Care Services, Case No. 21-652 SCY/KK, in the U.S. District Court for the District of New Mexico.
For more details and deadlines, see the official settlement website at RehobothDataSettlement.com.
DataBreaches notes one of the terms of the settlement:
New Practices: RMCHCS has implemented security-related improvements related to its cybersecurity since the Data Breach. RMCHCS agrees to provide Plaintiffs with information
regarding these improved security-related measures implemented by RMCHCS no later than 60 days after execution of the Settlement Agreement.
DataBreaches hopes these will not be just “we retrained employees to be careful” kinds of improvements.
According to HHS’s public breach tool, its investigation of the incident remains open.