BJC Healthcare Settles Data Breach Lawsuit Arisingfrom 2020 Phishing Attack

BJC HealthCare is resolving a class action lawsuit filed against it for not properly protecting patient data from phishing attacks. On May 5, 2020, the nonprofit hospital system based in St. Louis reported an email system breach that affected 287,876 people. The investigation affirmed the compromise of three email accounts in March 2020 because of responding to phishing emails. Although data theft cannot be established, the impacted email accounts comprised the protected health information (PHI) of patients of 19 of its hospitals. The types of information potentially compromised consist of names, birth dates, health insurance data, driver’s license, Social Security numbers, and healthcare data.

The lawsuit, filed in the Circuit Court of the City of St. Louis State of Missouri, at first alleged 10 counts against the defendants and made it through two motions to dismiss, with the lawsuit permitted to continue with 8 of the 10 counts:

  • breach of contract
  • unjust enrichment
  • negligence
  • negligence per see
  • vicarious liability
  • breach of the covenant of good faith and fair dealing
  • violations of the Missouri Merchandising Practicing Act (MMPA) and Illinois Consumer Fraud and Deceptive Business Practices Act (ICFA)

BJC HealthCare consented to resolve the lawsuit with no admission of liability or wrongdoing. According to the conditions of the settlement, BJC HealthCare will allocate funds to cover claims of affected persons up to a maximum $5,000. Every individual impacted may send a claim for ordinary and extraordinary expenditures sustained due to the data breach.

Claims may be filed for ordinary costs like bank fees, interest, credit tracking expenses, postage, mileage, and around 3 hours of lost time at $20 for each hour. Ordinary claims are limited to $250 for every person. Claims of as much as $5,000 could be submitted for extraordinary expenditures, such as documented monetary losses and around three hours of additional lost time at $20 for every hour. BJC Healthcare has additionally agreed to provide two years of free identity theft protection and credit monitoring services. Named plaintiffs will get approximately $2,000 and BJC HealthCare will cover the plaintiffs’ legal expenses. BJC HealthCare has given $2.7 million to pay for the expense of using multi-factor authentication for its email accounts to enhance protection versus phishing attacks.

Claims should be filed by Dec. 14, 2022. The hearing on the final approval of the negotiation is scheduled for Sept. 6, 2022.

In May 2022, BJC HealthCare submitted a report of one more email breach to the HHS’ Office for Civil Rights. The incident was noted as affecting 500 people – a typical placeholder utilized until the precise number of affected persons is identified. The breach happened two months ago.