Earlier this week, Community Health Systems (“CHS”), an operator of general acute care hospitals based in Franklin, Tennessee, reached a settlement in a class action lawsuit over a 2014 data breach. The breach, which took place in April and June 2014, affected 4.5 million patients and has been ranked as one of the largest health care data breaches in history.
The breach
Court records in the lawsuit allege that a criminal organization from China carried out the cyberattack in April and June 2014 using the Heartbleed Bug.[1] The stolen information included patients’ names, birth dates, addresses, telephone numbers, employer information and social security numbers taken from the health records system at CHS and from certain CHS-affiliated physician practices and clinics.
Although CHS publicly announced the attack in August 2014, sixteen (16) former patients allege that CHS took no efforts to increase cybersecurity protections to their software system after discovering the attack in April 2014. According to court records, the suit also alleges that CHS kept sensitive patient data on a “test server,” leaving much of the information largely exposed. In the wake of the cyberattack, several lawsuits were filed and eventually consolidated in 2015.
The settlement
The settlement agreement, which is pending approval by a judge at an August 13 fairness hearing, provides two types of payments to affected patients. First, each patient would be entitled to a maximum of $250 for the cost of out-of-pocket expenses for actions taken to deal with the breach, such as credit and identity monitoring services used between August 18, 2014, and August 1, 2019. The out-of-pocket expenses also serve to account for up to five (5) hours of time spent by each patient dealing with the breach calculated at the rate of $15 per hour. Second, any patient who was the victim of fraud or identity theft as a result of the breach would be entitled to up to $5,000. The settlement agreement imposes a cap on claims paid at $3.1 million.
If the agreement is approved, affected patients may submit a claim to be included in the settlement by August 1. The settlement agreement attempts to deal creatively with a common issue in data breach class action lawsuits, namely, how to effectively quantify the harm suffered by the victims. Many settlement agreements in such cases do not result in monetary damages received by the victims, but rather set out large expenditures on the part of the company to be used for credit monitoring and fraud resolution services. Whether the model used in CHS’ settlement agreement succeeds in reimbursing the victims remains to be seen.
[1] The Heartbleed Bug is a bug in the widely used cryptographic software library known as Open SSL. Google discovered the Heartbleed Bug in April 2014.