huge dollar settlement

LifeBridge Health Pays Huge Settlement

A nonprofit hospital system in Baltimore is paying almost $9.5 million to settle a class action lawsuit over a healthcare data breach. LifeBridge Health, Inc. (LifeBridge) has agreed to pay $800,000 to individual class members, $775,000 in fees, plus $7.9 million for additional cybersecurity protections to prevent additional incidents.

The lawsuit was not brought under HIPAA since HIPAA does not provide an individual right to sue. Instead they are based on Maryland state privacy and consumer protection laws. This case joins a long list of other healthcare data breach lawsuits, where the plaintiffs don’t wait for OCR to enforce HIPAA but go to court themselves. Other examples can be found here.

Cybersecurity Management Missteps

The LifeBridge lawsuit alleged that criminal hackers were able to access patient records due to LifeBridge’s “failure to safeguard and secure the medical information and other personally identifiable information” of its consumers. The suit also claims LifeBridge discovered the breach in late March 2018, but waited another two months to inform affected patients.

The class action stems from two separate cyber attacks. LifeBridge announced the first one in May 2018 and the second in June 2020. In the earlier incident, LifeBridge disclosed that one of its servers suffered a malware attack in September 2016 that affected 530,000 patients. The server hosted LifeBridge Health electronic medical records and its patient registration and billing systems. LifeBridge didn’t discover the attack until March, 2018, so it had been ongoing for 18 months after that initial breach. This ongoing breach compromised names, addresses, dates of birth, Social Security numbers, health insurance information, diagnoses, and treatment information.

In June 2020, LifeBridge announced yet another healthcare data breach. In this second incident, an unauthorized user fraudulently obtained access to copies of documents held by M&T Bank in its lockbox account for LifeBridge’s affiliate, Sinai Hospital of Baltimore, Inc.

Implement HIPAA Safeguards to Reduce Costs

The $9.5 million settlement is only part of the overall costs LifeBridge has faced over the four years since the first breach was discovered. Healthcare data breaches are expensive and include the initial forensic investigation, legal fees, public relations and crisis management, business disruption and loss of goodwill.

It is notable that a sizable chunk of the $9.5 million settlement is the $7.9 million for additional cybersecurity protections to prevent further incidents. Had LifeBridge instituted appropriate HIPAA safeguards before the attacks, all of these expenses could have been avoided, or lessened. There may not have been 530,000 patients victimized.

The HIPAA Security Rule is a blueprint to prevent cyber crime. The Security Rule Checklist in The HIPAA E-Tool® makes it easy, step-by-step, to cover all the bases. Along with the full HIPAA Risk Analysis, the Checklist shows you exactly what to do to improve compliance and reduce risks.

Don’t wait til after the crisis hits to take action. Begin with smart prevention today.

Share This Post

Maggie Hales

Maggie Hales is a lawyer focusing on health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2023 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Use | Privacy Policy | Cookies Policy | Privacy Settings | HTML/XML Sitemap

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

Office
8820 Ladue Road Suite 200
St. Louis, MO 63124

Powered by JEMSU