LifeBridge Health has agreed to pay $9.5 million in retribution to patients whose information was disclosed in a 2018 data breach.
Based in Baltimore, LifeBridge Health revealed in May 2018 that it was the victim of a data breach that impacted 530,000 patients. The health system detected malware on a server that hosts EMRs for one of its physician practices, Potomac Physicians, and the shared registration and billing system of other LifeBridge Health providers, according to Health IT Security
An investigation revealed that the initial leak occurred in September 2016 and continued for 18 months. Names, dates of birth, social security numbers, diagnoses, medications, clinical and treatment information, insurance information and other data were impacted.
Additionally, another breach that occurred between December 2019 and April 2020 on records at its Sinai Hospital location also affected patients.
Because of these attacks, patients experienced declined transactions, email account access problems, fraudulent accounts, fraudulent unemployment submissions and fraudulent applications for COVID-19 disaster business loans, reported Top Class Actions
“As a result of LifeBridge’s failure to implement and follow basic security protocols and procedures, plaintiffs’ and class members’ personal information is now in the hands of thieves,” said the plaintiffs in a class action lawsuit filed against LifeBridge Health.
While LifeBridge did not acknowledge wrongdoing, it agreed to pay $9.475 million. That includes $800,000 in payments to class members and $775,000 in fees.
Each class member can claim up to three hours of lost time at a rate of $20 per hour and an additional two hours at the same rate if they suffered extraordinary out-of-pocket expenses.
They also will receive up to $250 for ordinary data-breach losses, including bank fees, communication charges, credit monitoring, credit freeze costs and other expenses. Extraordinary losses such as reimbursement monetary losses are valued at up to $5,000.
LifeBridge Health has also agreed to pay $7.9 million in additional security measures, including for the encryption of sensitive data, tracking software for biomedical devices, network monitoring, regular maintenance, annual security training, enhanced account security and two-factor authentication.
The final approval hearing for the settlement will be held on October 26, 2022.
Class members must submit a valid claim form by February 1, 2023 to receive settlement benefits.