Class Action Data Breach Lawsuit Settled by UCLA Health for $7.5 Million

A class action lawsuit filed on behalf of victims of data breach has been settled by UCLA. The lawsuit that was discovered in October 2014 will cost UCLA Health $7.5 million to settle.

Suspicious activity was discovered by UCLA Health on its network back in October 2014. Once detected, UCLA Health contacted the FBI to assist them with the investigation. The forensic investigation revealed that hackers had indeed gained access to its network, although it was believed that at the time they did not succeed in accessing the parts of the network where the medical center stored its patients’ medical information. On May 5, 2015, however, it was confirmed by UCLA that the hackers had in fact gained access to certain sections of the network containing patients’ protected health information and names, addresses, dates of birth, Medicare IDs, health insurance information, and Social Security numbers may have been viewed or copied. 4.5 million patients were affected by the breach in total.

Upon the Department of Health and Human Services’ Office for Civil Rights investigation into the breach, they were satisfied with UCLA Health’s breach response and the administrative and technical safeguards that had been put in place after the breach to improve their security.

As a result of this UCLA Health avoided a financial penalty. However, a class action lawsuit was filed on behalf of patients affected by the breach. The complainants alleged UCLA Health failed to inform them about the breach in a timely manner, there had been violations to California’s privacy laws, breach of contract and the failure to protect the privacy of patients by UCLA Health constituted negligence.

UCLA Health notified patients about the breach on July 15, 2015. Although this was, in fact, in line with HIPAA requirements (under 60 days from the discovery that PHI had been compromised) the complainants believed they should have been notified in a more brisk manner, given the fact that it had been 9 months since the breach had occurred.

Under the terms of the settlement, all patients affected by the breach can claim two years of free credit monitoring and identity theft protection services. Patients will also be given the opportunity to make a claim to recover costs that have been placed upon them in protecting themselves against unauthorized use of their personal and health information. Furthermore, they also have the ability to submit a claim to recover losses suffered due to fraud and identity theft.

A claim of up to $5,000 can be made by patients in order to cover the costs of protecting their identities and even up to $20,000 for any damage or losses that resulted from identity theft and fraud. $2 million of the $7.5 million settlement has been put to the side to cover patients’ claims.  The $5.5 million remaining will be placed into a cybersecurity fund.  This fund will be used to improve cybersecurity defenses at UCLA Health.

May 20, 2019 is the cut-off date for patients to submit an objection or exclude themselves from the settlement. Preventative measure claim forms must be submitted by June 18, 2019. Patients also must enroll in the free credit monitoring and identity theft protection services by September 16, 2019. June 18, 2021 was the deadline for submitting claims for the reimbursement of losses is . The final court hearing on the settlement is set to take place on June 18, 2019.