St. Louis-based BJC HealthCare agreed to a class action lawsuit settlement to resolve allegations that its poor cybersecurity led to a May 2020 phishing attack that compromised sensitive patient data.
Affected patients of the data breach took legal action against BJC HealthCare, arguing the company could have prevented the data breach through reasonable cybersecurity measures.
BJC HealthCare did not admit any wrongdoing but agreed to settle the case and said it will do the following:
- Reimburse class members for ordinary and extraordinary expenses resulting from the settlement.
- Give participating class members two years of credit monitoring and identity theft insurance.
- Spend an estimated $2.7 million to implement multifactor authentication for email access in order to reduce phishing attacks.
- Implement new policies, mandatory training and an improved password policy in order to protect consumer data.
The deadline for exclusion and objection to the settlement is Aug. 16.
The final approval hearing for the settlement is scheduled for Sept. 6.