Saint Francis Healthcare System reached a $350,000 settlement with the patients affected by a ransomware attack on Ferguson Medical Group (FMG) that occurred in September 2019.
Saint Francis acquired FMG after a cyberattack which made the electronic health records on its systems not accessible. Saint Francis decided to recover the encrypted data using backups instead of paying the ransom. Although patient information and some other files were retrieved, it wasn’t possible to retrieve all information encrypted during the attack. FMG could not recover a batch of information associated to medical services given to patients from September 20, 2018 to December 31, 2018 and was considered permanently gone. FMG reported that the breach affected approximately 107,000 patients, and those persons were given free credit monitoring services.
Saint Francis Healthcare faced a class-action lawsuit that was filed in January 2020 at the U.S. District Court of Eastern Missouri for alleged negligence, breach of contracts both expressed and implied privacy invasion, and the Missouri Merchandise Practices Act violation. About 90,000 patients who were affected patients by the breach affixed their name on the lawsuit.
Although credit monitoring services were provided free to impacted persons, the plaintiffs desired payment for expenses incurred due to the data breach including attorneys’ fees. The lawsuit additionally wanted Saint Francis Healthcare to carry out more safety measures to enhance data security.
Saint Francis Healthcare filed a motion to dismiss the legal action in March 2020 claiming the plaintiffs didn’t express a viable cause for relief. The plaintiffs stated that the motion to dismiss didn’t have enough merit; even so, should the case proceed with the trial, the result is going to be unpredictable. The two parties decided to have a settlement out of court.
The offered settlement will pay all plaintiffs up to $280 to take care of out-of-pocket expenditures sustained because of the breach, extra credit monitoring services, and payment for time expended on safeguarding their personal identities.
Saint Francis Healthcare likewise consented to take steps to strengthen security by
- going over firewall protocols
- automatically upgrading its firewall to the most recent version
- implementing patches quickly
- limiting remote legacy systems access,
- creating and employing new password management guidelines
- Implementing multi-factor authentication on its VPN access points
- employing geo-blocking for traffic to some IP addresses,
- taking away RDP from the vendor access solution
- using a vulnerability scanning system
- offering more extensive cybersecurity training to the employees.
The settlement is currently waiting for the judge’s approval. There is a scheduled conference by District Judge Stephen R. Clark of the District Court of Eastern Missouri on November 17, 2020.