Grays Harbor Community Hospital and Harbor Medical Group agreed to the proposed settlement of the class-action lawsuit filed by the representative plaintiff over a ransomware attack in June 2019 that caused patient data encryption.
The plaintiff and Grays Harbor discussed the settlement to avoid the uncertainty of a trial and the expenditures of further litigation. The Court did not decide the settlement in favor of either party.
The Washington healthcare provider identified the ransomware attack in June 2019 and shut down its systems to block the virus, but it was too late as its computer systems were already encrypted. Grays Harbor created data backups in case of such an incident. However, the ransomware attack encrypted the backup files as well. The provider’s electronic health record system was also inaccessible for about two months.
The attackers demanded a ransom of $1 million for the keys to decrypt the data. Gray’s Harbor got an insurance policy that covers up to $1 million, though it is uncertain whether that insurance policy covered expenses and paid for the ransom demand. Irrespective, it was not possible to retrieve all encrypted data in the attack. The protected health information (PHI) of some patients was not retrieved.
The lawsuit claimed the provider violated several rules including the:
- Washington State Uniform Healthcare Information Act
- Washington State Consumer Privacy Act
- State Constitution’s Right to Privacy
The lawsuit further claimed that Harbor Medical Group and Grays Harbor Community Hospital neglected to secure the privacy of patients and had a breach of implied contract, a breach of express contract, and an intrusion of privacy.
The agreed settlement entailed no admission of liability on the part of Harbor Medical Group and Grays Harbor Community Hospital. All claims mentioned in the lawsuit were denied.
Grays Harbor Community Hospital and Harbor Medical Group proposed a settlement amount of $185,000 for covering the claims of the 88,000 patients affected by the ransomware attack. Patients affected by the breach can submit claims for a maximum of $210 per person to cover out-of-pocket expenses incurred because of the breach and approximately three hours of documented lost time handling the after-effects of the breach at a price of $15 per hour.
Claims as high as $2,500 can also be filed for other provable losses acquired that were more possible than not because of the ransomware attack. All available credit monitoring insurance and identity theft insurance should be depleted before Grays Harbor is accountable for any bigger payouts. When the claims go over $185,000 they will be paid pro-rata to minimize costs.
Class members have until July 27, 2020 to exempt themselves from the settlement or file an objection. There will be a fairness hearing on August 31, 2020. To get a share of the settlement fund, submit a claim by December 23, 2020.
Subsequent to the ransomware attack, the provider took steps to improve security and spent more than $300,000 in information security. Another $60,000 will be invested in security enhancements over the next three years.
This data breach settlement is the second announcement this week. The first settlement was proposed by UnityPoint Health to resolve a lawsuit filed by victims of two 2018 phishing-related data breaches. UnityPoint Health agreed to settle claims for $2.8 million or more as there is no cap on claims payments.