Salinas Valley Memorial Healthcare System has agreed to pay $340,000 to resolve claims lax cybersecurity resulted in a 2020 data breach.
Five employee and contractor email addresses were reportedly compromised in April, May and June of 2020 through a phishing scheme. As Salinas claimed in their notification of July 1, 2020:
On April 30, 2020, SVMHS determined that the email account of one of its employees had been compromised. On May 7, 2020 and June 5, 2020 respectively, SVMHS subsequently determined that email accounts of a contractor and three other employees were also compromised. These five email accounts were compromised through Outlook Web Access, SVMHS’s browser-based email access solution.
The incident was reported to HHS on June 29, 2020 as impacting 2,384 patients. In closing its investigation into the incident, HHS wrote:
The covered entity (CE), Salinas Valley Memorial Healthcare System, reported that several workforce members were the victims of an email phishing attack that affected the electronic protected health information (ePHI) of 2,384 individuals. The ePHI involved included demographic and clinical information such as names, addresses, dates of birth, other identifiers, diagnoses/conditions, medications, and other treatment information. The CE notified HHS, affected individuals, and the media. In addition, the CE offered complimentary credit monitoring services to all affected individuals. In response to the breach, the CE sanctioned the workforce members involved in the incident, retrained workforce members on identifying fraudulent email communications, and implemented additional technical safeguards.
As is usually the case, there is no admission of wrongdoing by Salinas in the settlement.
In addition to any cash, Salinas agreed to take additional data security measures including hiring third-party auditors to conduct regular penetration tests, maintaining firewalls and access control, providing regular training of all personnel relating to phishing and other security attacks and conducting regular computer system scanning and security checks.
Read more about the terms of the settlement at Top Class Actions. Claims must be filed by August 26, 2022.
The settlement website is SalinasValleyMemorialSettlement.com.