A data breach class action lawsuit has been settled by LifeBridge Health Inc. to resolve claims made by individuals impacted by a data breach in 2018. LifeBridge Health’s settlement will amount to $9.475 million, which includes an $800,000 fund to cover the claims from class members.
After discovering a malware infection on their system in March 2018, LifeBridge Health conducted a forensic data breach investigation to determine how the unauthorized access had occurred and what information was obtained. The investigation concluded that a third party had access to the healthcare provider’s systems from September 2016. The servers accommodated its billing systems, electronic health records, and patient registration. Access to the servers gave the threat actors an opportunity to acquire several forms of personally identifiable patient information such as full names, birth dates, addresses, diagnoses, medication prescriptions. Insurance details, treatment information, and for some patients, Social Security numbers. LifeBridge Health informed the HHS’ Office for Civil Rights of the breach, confirming the breach involved the potential exposure of information relating to 582,174 patients. Subsequently, all impacted patients were also informed.
A lawsuit was filed in the Circuit Court of Baltimore City by law firm Murphy, Falcon, and Murphy on behalf of all affected patients. The plaintiffs allege that their identities had been stolen as a direct result of the breach after both experiencing incidents of credit card fraud shortly after the incident occured. Plaintiffs Jahima Scott and Darlene Johnson believe that their and all class members had their information exposed to serious harm. As a result, all affected individuals now face a greater risk of identity theft and fraud. Scott and Johnson alleged to have experienced financial losses, issues with their email accounts, had monetary transactions declined, had fraudulent accounts created in their names, and had their identity used to file for unemployment benefits. According to the lawsuit, LifeBridge Health was negligent and in violation of several protection statutes such as the Maryland Personal Information Protection Act, Maryland Social Security Number Privacy Act, and Maryland Consumer Protection Act.
Despite no admission of liability or wrongdoing, the healthcare provider agreed to settle the lawsuit due to the uncertainty of trial and ongoing legal costs. LifeBridge Health has agreed to establish a fund of $800,000 to resolve claims made by affected patients. Members of the class may submit claims for compensation for both ordinary and extraordinary losses, including claims for up to 3 hours of missed time at the rate of $20 per hour and an additional 2 hours if extreme losses were incurred. Bank fees, credit monitoring, credit freezing, communication charges, and other expenditures may be claimed as ordinary losses up to a limit of $250 per class member, and extraordinary losses up to a maximum of $5,000 per claimant. LifeBridge has said that they will invest approximately $7.9 million to develop a more stringent and secure cybersecurity system to prevent further data breaches. Security measures include data encryption, network monitoring, security awareness training, asset tracking, and multi-factor authentication.