Overlake Hospital Medical Center Proposes Settlement to Close the Data Breach Case

Overlake Hospital Medical Center based in Bellevue, WA has presented a settlement to deal with a class-action lawsuit it is facing. Victims of a data breach in December 2019 filed a lawsuit because of the exposure of the patients’ demographic information, medical insurance information, and health data.

The breach occurred because of a phishing attack that was identified on December 9, 2019. The investigation revealed that unauthorized people acquired access to the email accounts of a number of employees. One of the email accounts was compromised between December 6, 2019 and December 9, 2019, and the others were compromised on December 9 for a few hours.

The investigation failed to find evidence of theft or misuse of patient information, however, it was not possible to rule out unauthorized access to protected health information (PHI) and data exfiltration. The PHI of approximately 109,000 patients was in the compromised email accounts.

Affected persons were informed about the breach starting on February 4, 2020 and Overlake Hospital Medical Center took a number of steps to enhance security, including employing multi-factor authentication, altering email retention policies, and providing additional training to workers. Overlake Hospital Medical Center spent $148,590 on upgrades to strengthen security since the breach occurred and has decided to do more tweaks totaling $168,000 annually for the following 3 years.

According to the Richardson V. Overlake Hospital Medical Center lawsuit filed in the Superior Court of King County in Washington, Overlake Hospital was negligent for failing to stop unauthorized people from obtaining systems access. The lawsuit additionally alleged intrusion upon seclusion/invasion of privacy, breach of confidence, breach of express contract, breach of fiduciary duty, and breach of implied contract. Although 109,000 persons were advised regarding the breach, only 24,000 people are included in the class since all other patients did not have their PHI breached.

The lawsuit stated the hospital didn’t employ reasonable safeguards to protect the privacy of HIPAA-covered information and did not give enough notice concerning the data breach. Overlake Hospital Medical Center has rejected all claims stated in the lawsuit and all charges of wrongdoing. The option was made to resolve the lawsuit with no admission of liability.

Under the stipulations of the settlement, two types of claims may be submitted. Class members are eligible to claim as much as $250 for specific out-of-pocket expenses sustained due to the breach, such as bank fees, phone calls, postage fees, fuel for local travel, and around three hours of documented time at $20 hourly, provided a minimum of one full hour was expended on mitigations. It is likewise possible to get the cost of credit report fees, and credit monitoring and identity theft protection services applied from February 4, 2020 to the date of the Court’s preliminary approval of the settlement.

Claims for extraordinary expense refund could be submitted for as much as $2,500. These claims should include proof of losses that were more probable than not suffered because of the breach between December 1, 2019 and the end of the claim period.

A fairness hearing has been slated for Sept. 10, 2021.