Healthcare
,
Industry Specific
,
Litigation
Multimillion Dollar Deal Resolves 27 Lawsuits After 2023 Email Storage Hack
A Tennessee federal court this week approved a multimillion-dollar settlement in consolidated class action litigation filed against publicly traded HCA Healthcare in the wake of a 2023 data breach in which hackers stole information from an external storage location used to automate the formatting of email messages. The incident affected more than 11 million individuals.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
Settlement and other court documents in the HCA do not mention a net settlement fund or specify a total dollar amount the for-profit healthcare operator has agreed to pay.
The 2023 incident involved an external storage location. HCA says hackers did not take clinical or financial information and also did not steal identifiers such as driver’s license or Social Security numbers.
An unidentified party posted some stolen data on an online forum, including patient names and addresses, emails, telephone numbers, gender, patient service date, location and next appointment date.
Under the settlement, class counsel are set to receive $3.1 million in attorney’s fees. Most similar class action litigation settlements involving health data breaches in recent months and years generally provide class counsel attorney fees that are roughly one-third of a net settlement fund – meaning HCA’s total settlement could be estimated to approach $9.3 million.
Sometimes class members’ counsel fees are a lower percentage because of the size of the settlement, said regulatory attorney Rachel Rose, who is not involved in the HCA case.
Court documents estimate that the settlement covers “millions” of class members, which include individuals residing the United States whose personal information was compromised in the data incident that HCA publicly disclosed on July 10, 2023.
Under the settlement agreement, each eligible class members may file a claim of up to $5,000 for reasonable documented losses tied to the incident. Class members can also file a claim for one-year of complimentary credit and identity monitoring.
Unlike many other recent settlements involving health data breaches, the HCA settlement does not offer class member an option to claim a pro rata cash payment as an alternative to claims for documented losses tied to the security incident.
“They are requiring documented loss, so this settlement is predicated on damages,” Rose said.
The settlement also calls for HCA to implement and maintain “security commitments” designed to prevent similar data incidents in the future. Those security measures are specified in an exhibit that is filed under seal, away from the public’s view.
HCA operates 190 hospitals and approximately 2,400 ambulatory care sites in 20 U.S. states, and the United Kingdom. Neither attorneys representing plaintiffs nor HCA immediately responded to Information Security Media Group’s requests for comment on the settlement and other details, including the total dollar amount HCA has agreed to pay.
HCA is “pleased to have reached a fair and appropriate resolution to this litigation,” the company told Information Security Media Group.
The settlement resolves a consolidation of 27 lawsuits filed against HCA following its disclosure of the criminal cyberattack (see: HCA Says Up to 11M Patients Affected by Email Data Hack).
The company told investors it did not believe the incident would materially affect its business, operations or financial results.
Plaintiffs alleged that HCA was negligent in failing to properly safeguard affected patients’ information (see: First Lawsuits Filed in HCA Data Hack As New Questions Emerge).
Under the settlement, HCA denies any wrongdoing.