A nonprofit hospital system in Baltimore is paying almost $9.5 million to settle a class action lawsuit over a healthcare data breach. LifeBridge Health, Inc. (LifeBridge) has agreed to pay $800,000 to individual class members, $775,000 in fees, plus $7.9 million for additional cybersecurity protections to prevent additional incidents.
The lawsuit was not brought under HIPAA since HIPAA does not provide an individual right to sue. Instead they are based on Maryland state privacy and consumer protection laws. This case joins a long list of other healthcare data breach lawsuits, where the plaintiffs don’t wait for OCR to enforce HIPAA but go to court themselves. Other examples can be found here.
Cybersecurity Management Missteps
The LifeBridge lawsuit alleged that criminal hackers were able to access patient records due to LifeBridge’s “failure to safeguard and secure the medical information and other personally identifiable information” of its consumers. The suit also claims LifeBridge discovered the breach in late March 2018, but waited another two months to inform affected patients.
The class action stems from two separate cyber attacks. LifeBridge announced the first one in May 2018 and the second in June 2020. In the earlier incident, LifeBridge disclosed that one of its servers suffered a malware attack in September 2016 that affected 530,000 patients. The server hosted LifeBridge Health electronic medical records and its patient registration and billing systems. LifeBridge didn’t discover the attack until March, 2018, so it had been ongoing for 18 months after that initial breach. This ongoing breach compromised names, addresses, dates of birth, Social Security numbers, health insurance information, diagnoses, and treatment information.
In June 2020, LifeBridge announced yet another healthcare data breach. In this second incident, an unauthorized user fraudulently obtained access to copies of documents held by M&T Bank in its lockbox account for LifeBridge’s affiliate, Sinai Hospital of Baltimore, Inc.
Implement HIPAA Safeguards to Reduce Costs
The $9.5 million settlement is only part of the overall costs LifeBridge has faced over the four years since the first breach was discovered. Healthcare data breaches are expensive and include the initial forensic investigation, legal fees, public relations and crisis management, business disruption and loss of goodwill.
It is notable that a sizable chunk of the $9.5 million settlement is the $7.9 million for additional cybersecurity protections to prevent further incidents. Had LifeBridge instituted appropriate HIPAA safeguards before the attacks, all of these expenses could have been avoided, or lessened. There may not have been 530,000 patients victimized.
The HIPAA Security Rule is a blueprint to prevent cyber crime. The Security Rule Checklist in The HIPAA E-Tool® makes it easy, step-by-step, to cover all the bases. Along with the full HIPAA Risk Analysis, the Checklist shows you exactly what to do to improve compliance and reduce risks.
Don’t wait til after the crisis hits to take action. Begin with smart prevention today.
