When one of the former patients at a hospital managed by St. Joseph Health System ran a routine Google search of her name four years ago, she found that her medical records from this hospital were available online.
Interestingly, these records, which included diagnoses lists, active medication lists, lab results, medication allergies, body mass index or blood pressure, among others, were revealed by an investigation not to have been stolen.
Instead, “the data exposure occurred as a result of misconfigured security settings” – the internal systems belonging to five of SJHS’ hospitals were so insecure that they allowed for unrestricted external access.
The investigation discovered that more than 31,000 patient health records were exposed to the public for close to a year. Based on Californian law, which states that victims of a breach require notification of such an event (as well as the authorities), SJHS was required to send a letter to each affected patient.
Two of the victims filed a class action lawsuit against the SJHS and after a two-year legal battle, a state court judge in California approved the highest ever per-plaintiff cash settlement in a data breach case that will cost the SJHS up to $28 million.
As per the settlements’ terms, the plaintiffs will receive $7.5 million. The SJHS must spend $4.5 million for credit monitoring services for all affected patients and establish a $3 million fund to compensate those who would sustain identify theft losses resulting from the breach.
Additional $7.4 million of the settlement will cover the attorneys’ fees and a mandatory sum of $13 million must be spent on making SJHS’ hospitals compliant with regulations.
In addition to the class-action settlement, SJHS might be the subject of a corrective action plan or financial penalty for the breach, depending the outcomes of investigations by the Department of Health and the Human Services’ Office for Civil Rights.
"This settlement should give businesses a clear idea of the rising cost for failing to properly protect all personal data in their care properly ,” commented Lysa Myers, a security researcher at ESET.
“It's important for organizations to secure access to machines storing sensitive data and to protect the databases themselves. Without doing a regular, ongoing risk assessment, and then putting strong authentication and robust encryption where it's needed, it's far too easy for sensitive data to fall through the cracks."