Health Entity Agrees to Pay $7.9 Million to Improve SecurityBut Payments to 540,000 Class Members in Breach Settlement Capped at $800,000
A Maryland healthcare provider will spend nearly $8 million on data security to settle a class action lawsuit stemming from separate data breaches that, in all, affected at least 540,000 individuals.
See Also: The CISO's Response Plan After a Breach
Under the settlement, LifeBridge Health, which operates five hospitals and several medical facilities in the Baltimore area, also has agreed to pay up to $800,000 to reimburse class members. That includes reimbursements for out-of-pocket losses of up to $250 total for ordinary losses and lost time linked to the data breaches, and up to $5,000 for extraordinary losses.
Unlike many recent settlements in data breach class action cases, the LifeBridge settlement does not provide extended credit and identity monitoring to class members.
A final hearing is set for Oct. 26 at the Circuit Court for Baltimore City for the settlement, which was approved in late May. The company LifeBridge denies any wrongdoing.
A LifeBridge attorney says the settlement's impetus was a desire "to avoid the ongoing costs associated with protracted litigation and to avoid exposure associated with an unpredictable outcome."
The multimillion-dollar investment into data security discussed in the settlement "is not a settlement payment, but is an estimate of the startup and ongoing costs relating to information security technologies that LifeBridge had already implemented and has agreed to keep in place for a specified period of time," says LifeBridge attorney Michael Baxter in a statement provided to Information Security Media Group.
The first of LifeBridge's two data breaches was discovered in March 2018. The incident involved malware that was later determined to have been installed 18 months earlier - in September 2016 - on a server hosting the electronic medical record system used by LifeBridge Potomac Professionals and LifeBridge's patient registration and billing systems (see: Malware Attacks: A Tale of Two Healthcare Incidents).
LifeBridge reported to the Department of Health and Human Services in May 2018 that the incident affected nearly 540,000 individuals, potentially compromising patients' names, addresses, dates of birth, diagnoses, medications, clinical and treatment information, insurance information, and in some instances, Social Security numbers.
The second breach, reported in June 2020, involved LifeBridge being notified by business associate M&T Bank of an "unknown individual" who fraudulently obtained copies of documents related to some patient accounts of LifeBridge's Sinai Hospital of Baltimore between December 2019 and April 2020. M&T is a banking vendor of Sinai.
"LifeBridge knew or should have known that M&T had insufficient security procedures and practices to protect the patient personal information that LifeBridge shared with M&T and therefore did not act with reasonable care in sharing patient Personal Information with M&T to carry out LifeBridge's business functions," the complaint alleged.
The lawsuit complaint also alleged that the data breaches were the result of LifeBridge failing to adequately protect the plaintiffs' and class members' personal information, putting individuals at risk for identity theft and fraud.
Attorneys representing plaintiffs in the lawsuit did not immediately respond to ISMG's request for comment on the settlement.
The money being paid by LifeBridge under the settlement agreement is set to remediate and enhance the organization's data security. LifeBridge has agreed to data security improvements including more than $4.3 million for the implementation of various security measures and another $1.8 million annually for two years to operate those improvements.
Details of the security improvements LifeBridge has agreed to make, or has already made, include:
- Encrypting of data at rest within its corporate electronic medical records system;
- Deploying software to track its biomedical devices;
- Implementing network monitoring to include detection and alerts involving anomalous activities that indicate the potential for data extraction;
- Performing regular endpoint and server patching, as well as back-end server patching when appropriate, with Microsoft patch updates;
- Implementing the use of two-factor authentication for remote access to Office 365;
- Putting into place enhanced email protection and filtering;
- Providing annual information security training for all associates and information security training for all new employees during orientation;
- Continuing to employ a CISO.