UCLA Health Settles $7.5M Lawsuit Over Data Breach
The data breach was discovered in 2014 and affected the personal information, including Social Security numbers, of nearly 4.5 million UCLA Health patients.
UCLA Health has settled a class action lawsuit filed by the victims of a data breach from October 2014.
UCLA Health will pay $7.5 million to settle the lawsuit, reports the HIPAA Journal.
Suspicious activity was discovered on UCLA Health’s network back in 2014 and the FBI began a full investigation which confirmed that hackers had gained access.
At the time, it was believed that the hackers did not have access to the part of the network where patients’ medical information was stored. However, in May 2015, UCLA Health confirmed that hackers, in fact, had gained access to patients’ health information.
Names, addresses, dates of birth, Medicare IDs, health insurance information and Social Security numbers were potentially compromised for 4.5 million UCLA Health patients.
The Department of Health and Human Service’s Office for Civil Rights investigated the breach and deemed both the hospital’s response to the breach and improvements to security post-breach satisfactory.
There were no financial penalties brought against UCLA Health, however, a class action lawsuit was still filed by the victims of the breach, alleging UCLA Health failed to inform them of the breach in a timely manner.
Not only that, but the victims also claimed that there were violations of contracts, California’s privacy laws and UCLA Health’s failure to protect patient privacy.
Patients were not told about the breach until July 15, 2015. While this does not violate HIPPA’s 60-day notification requirement, plaintiffs still believed that they should have been notified more quickly because the initial breach took place nine months before.
Under the terms of the settlement, all victims can claim two years of free credit monitoring and identity theft protection services. Patients can also claim up to $5,000 to cover protection costs and up to $20,000 for any losses or damages caused by identity fraud.
Two million of the $7.5 million has been set aside for patient claims and the remaining $5.5 million will be put into a cybersecurity fund.