Mercy Health has decided to pay $1.8 million to resolve all claims associated with a 2020 data breach that impacted 11,187 people. As opposed to most class action data breach lawsuits, this legal action was because of an insider data breach instead of a cyberattack.
Mercy Health serves patients in southern Wisconsin and northern Illinois. On October 7, 2020, it was discovered that an employee accessed patients’ medical records on several instances even when he/she had no authorized job order. The breached patient data included names, birth dates, addresses, other demographic data, treatment and other clinical details, medical record numbers, and/or radiological shots, and for some patients, medical insurance numbers.
Mercy Health sent breach notifications to the impacted people in December 2020 and advised them that the worker is no longer working for Mercy Health. Improvements were put in place to avoid the same occurrences down the road. Mercy Health provided the impacted patients with complimentary credit monitoring services. The health system did not get any report of fraud or patient data misuse because of the breach.
Mercy Health patients, T.D. and Monica Gama, filed the legal action in the circuit court of the county of St. Louis. Allegedly, Mercy Health was negligent because of the inability to apply reasonable and proper cybersecurity procedures and access controls. If the appropriate measures had been set up, then the data breach could have been avoided. The health system would have avoided a potential HIPAA violation.
Mercy Health rejected the claims, denied any wrongdoing, and resolved the lawsuit to avert having to pay more legal expenses and the uncertainty of trial. Based on the conditions of the lawsuit agreement, class members are eligible to claim a $90 flat payment. They can also file a claim for recorded expenditures and lost time because of the data breach up to as much as $300 for every class member, which could include around 5 hours of lost time valued at $30 an hour. Class representatives can get a $5,000 service payment while class counsels can get $600,000.
An objection to and exclusion from the class settlement can be filed on or before June 10, 2024, since this is also the last day for submitting a claim. The schedule of the final hearing is on June 18, 2024.
