Shields Health (Shields), a Massachusetts-based medical imaging provider, has agreed to pay $15.35 million to settle class action litigation stemming from a 2022 hacking incident that affected nearly 2.4 million people. The proposed settlement was approved by a Boston federal district judge in Massachusetts last week.

Shields is a family-owned company with 40 healthcare facilities across New England offering MRI and PET/CT services. It also operates ambulatory surgical centers.

Shields Health Responded to the Hack

According to Shields’ breach notice, on March 28, 2022, the company noticed suspicious activity that may have involved data compromise. Shields initiated an investigation, using subject matter specialists to determine what happened.

Their investigation revealed that an unauthorized individual gained access to Shields’ systems and acquired certain patient data over a two-week period, from March 7 to March 21, 2022.

Shields evaluated the data to determine what individual personal information may have been involved, and began notifying individuals and regulators in 2022. Shields continued its evaluation and sent notices to affected individuals as it learned who had been affected. For example, additional notices were mailed beginning April 19, 2023.

The type of information that was or may have been impacted included one or more of the following: full name, Social Security number, driver’s license number, date of birth, home address, provider information, diagnosis, billing information, insurance number and information, medical record number, patient ID, and other medical or treatment information.

Shields Health Faced Class Action Lawsuits

Multiple lawsuits were filed against Shields in state and federal court, starting in July 2022. Seven lawsuits relating to individuals outside of Massachusetts were consolidated into one proposed class action in federal court in early January 2023. Several other lawsuits related to Massachusetts residents were filed in state court. The proposed settlement consolidates all of the pending cases.

The lawsuits alleged similar claims, namely, that:

• Shields failed to protect patient data adequately and failed to provide timely breach notification. They also alleged that the notification letters were incomplete, lacking the necessary information for the affected individuals to take appropriate action to mitigate the risk.
• Shields violated its obligations to comply with the HIPAA Security Rule because it failed to implement adequate cybersecurity measures to reduce risk.
• Although Shields began issuing notifications on June 7, 2022, this was outside the allowed reporting period under the HIPAA Breach Notification Rule.
• Breach notifications were untimely and deficient in information, failing to provide even basic information about the breach, such as whether patient data on the servers was accessed.
• The credit monitoring services offered were inadequate, given that affected individuals face many years of ongoing identity theft.

The various lawsuits alleged breach of contract, negligence, breach of fiduciary duty, and invasion of privacy by intrusion. They asked for class-action status, injunctive relief, and damages.

Shields Health Denies Wrongdoing

In the settlement, Shields denies wrongdoing and disputes that the plaintiffs suffered any damages. The settlement document also notes that:

“Since the incident, the defendant (Shields Health) has invested significantly in remediation, cybersecurity enhancements and expansion of its IT workforce and has committed to maintaining those investments and measures for the foreseeable future.”

The proposed settlement provides that class members (those who sued) can receive up to $2,500 to offset out-of-pocket expenses incurred in responding to the data incident.

Settlement class members who believe they have suffered identity theft, fraud, or other extraordinary losses may submit a claim for “extraordinary losses and/or extraordinary attested time” up to $25,000 per individual.

As an alternative to proving their expenses, eligible settlement members can instead choose a flat $50 cash payment. Attorneys’ fees and expenses may account for approximately one-third of the settlement fund, or up to roughly $5.1 million.

Class Action Lawsuits are More Common

Class action lawsuits in healthcare data breaches are proliferating. When a breach affects thousands or millions of individuals at once, a lawsuit can easily gather thousands of plaintiffs to join. HIPAA compliance enables organizations to identify risks that can enable criminal access to patient data, and manage those risks to guard against theft.

HIPAA Compliance Pays Dividends

Weak cybersecurity measures fail to protect privacy and compound the cost of lawsuits.

Following the HIPAA Security Rule is a blueprint for preventing cybercrime but it also helps defend against investigations and lawsuits. If the worst happens and a hacker succeeds, an organization must demonstrate that it attempted to protect patient data and that it implemented the safeguards required by HIPAA.

The HIPAA E-Tool^® can show you how.