San Juan Regional Medical Center (SJRMC), a New Mexico-based healthcare facility, has offered to settle a lawsuit out of court. The lawsuit, Henderson et al. vs San Juan Regional Medical Center, alleges that the medical center was negligent in its duty to safeguard the data of its patients after a malware attack in 2020 led to a serious breach of protected health information. The lawsuit, though filed on behalf of Jeremy Henderson, is a class-action suit taken by over 68,792 patients.
The data breach in question occurred on September 8, 2020. During the attack, the hackers gained access to SJRMC’s network and accessed patient files that contained information such as dates of birth, passport information, Social Security Numbers, financial information, health insurance information and details relating to patients’ treatment plans and diagnoses. All of these are considered to be sensitive health information and are protected under HIPAA.
However, the lawsuit was not filed under HIPAA, though it does state that the lack of safeguards to prevent the breach was a HIPAA violation. The suit also contests that SJRMC took too long to notify patients that their data had been accessed by unauthorized individuals. Henderson, for example, was not notified that his data had been stolen for more than a year after the attack occurred (September 13, 2021).
Choosing to settle the lawsuit out of court, SJRMC has offered all those affected two years of complimentary credit monitoring (in addition to the 12 months offered initially once the attack was detected). The affected individuals can also access identity theft monitoring services and claim up to $2,500 in compensation for costs related to the breach. These costs may include payment for identity theft insurance, fees for credit reports, or payment for additional credit monitoring services. The affected patients may also claim up to $17.50 per hour for time lost due to dealing with the data breach.
The medical center has offered this settlement without accepting liability for the breach or admitting to any wrongdoing. The settlement applies to all patients whose identifiable information was accessed during the breach, as well as those whose Social Security, financial account, driver’s license, or passport numbers had potentially been accessed.
Those covered by the settlement have until January 9, 2023 to object or ask to be excluded from the settlement. Any claims must be submitted by February 8, 2023, and a fairness hearing is scheduled for February 22, 2023.