California hospital settles data breach case with largest per plaintiff payout in history

March 28, 2016

Health Care Alert

Author(s): James W. Weller, Michael S. Cohen, Michal E. Ovadia

Last month a California state court judge finalized the highest ever per-plaintiff cash settlement in a data breach case. St. Joseph Health System (SJHS), based in Irvine, California, is set to pay upwards of $28 million to settle a 31,074-member class action. The dispute arises out of a 2012 computer glitch that made 31,800 patient health records accessible on the Internet. The complaint alleged four causes of action: (1) violation of California’s Confidentiality of Medical Information Act (CMIA), (2) negligence, (3) money had and received, and (4) violation of the California Unfair Competition Law (UCL), California Business and Professionals Code, Section 17200.

The settlement obligates the defendants to pay $7.5 million to the plaintiffs, as well as an additional $7.4 million in attorneys’ fees. It also requires the defendants to spend $4.5 million for credit monitoring services for all patients whose protected health information (“PHI”) was compromised, for a period of one year, and to establish a $3 million fund to compensate plaintiffs who sustain identify theft losses resulting from the breach. Each plaintiff can apply for up to $25,000 from the fund to cover demonstrated losses. Court documents also indicate that the settlement requires SJHS to spend $13 million to institute policies compliant with state and federal regulations and to implement various remedial measures, which, according to experts, is a noteworthy part of the settlement.

The breach was discovered in January 2012 when the lead plaintiff, Danna Graewingholt, discovered her medical records online after running a Google search of her name. The following month, SJHS sent letters to more than 31,000 patients, notifying them that it had inadvertently released their PHI to the public. The letters indicated that the breach compromised the following kinds of patient data: “diagnoses lists, active medication lists, lab results, medication allergies, body mass index, blood pressure, smoking status, advance directive status and demographic information, including spoken language, ethnicity, race, gender and birth date.” This information had been accessible online for one year. Fortunately for the patients, the PHI disclosed by the breach did not include addresses, Social Security numbers and financial data.

The compromised data primarily concerned patients who received inpatient care at five different SJHS hospitals, between February and August of 2011. The court documents do not indicate how the PHI became searchable on the Internet. According to Jeffrey H. Reeves, lead counsel for SJHS, however, the breach was an unintentional oversight in the hospital’s intranet that made certain patient data vulnerable to tampering by what is known as a “Googlebot.” Under the CMIA, SJHS was potentially liable for up to $1,000 per class member if the case had gone to trial. The Department of Health and Human Services’ Office for Civil Rights has not announced a Corrective Action Plan or financial penalty for the breach, and an investigation may still be underway.

This settlement serves as a reminder of how vital it is to have strong security measures in place, both for medical care providers and other institutions that are charged with protecting confidential information. Management and technology personnel are encouraged to take a close look at not only the protections that are in place to safeguard confidential information, but also the established procedures to be followed in the event of a breach.

The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

Back to top