The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

United Health Centers of the San Joaquin Valley Proposes Settlement to Resolve Data Breach Lawsuit

Posted By on Oct 12, 2022

United Health Centers of the San Joaquin Valley (UNC) has proposed a settlement to resolve a class action lawsuit filed on behalf of patients affected by its August 2021 Vice Society ransomware attack.

The attack in question saw the ransomware actors gain access to its network and exfiltrate files that contained patient information such as names, Social Security numbers, medical record numbers, dates of birth, and treatment information, with the information copied from its systems between August 24, 2021, and August 28, 2021. Notification letters about the attack and data breach were issued four months after the attack in December 2021. Affected individuals were offered complimentary 12-month memberships to a credit monitoring and identity theft protection service.

A lawsuit was filed in the Fresno County Superior Court – Avetisyan v. United Health Centers of the San Joaquin Valley – by attorney Matthew R. Wilson on behalf of UNC patient, Narek Avetisyan, and other individuals similarly affected by the data breach. The lawsuit alleged negligence, invasion of privacy, and violations of the California Confidentiality of Medical Information Act and the Consumer Records Act.

UNC said it has implemented and maintains “meritorious defenses” to prevent attacks of this nature and accepts no wrongdoing for the data breach or liability, and while UNC said it was happy to vigorously defend the lawsuit, the decision was made to try to settle the lawsuit to avoid ongoing legal costs and the uncertainty of trial.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Under the terms of the proposed settlement, affected individuals will be entitled to three years of credit monitoring and identity theft protection services, even if they choose to exclude themselves from the settlement. Individuals who accept the settlement will be entitled to submit a claim for up to $500 for non-economic losses due to the data breach and can claim up to $2,500 as reimbursement for documented losses that can be reasonably attributed to the cyberattack.

Individuals who wish to object to or exclude themselves from the settlement must do so by November 19, 2022, which is also the final date for submitting claims for reimbursement. A fairness hearing has been scheduled for February 8, 2023.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist