The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Umass Memorial Health Proposes $1.2 Million Settlement to Resolve Data Breach Lawsuit

Posted By on Feb 14, 2023

Umass Memorial Health has proposed a $1.2 million settlement to resolve a class action lawsuit that was filed on behalf of individuals affected by its 2020 hacking incident and data breach.

Hackers gained access to Umass Memorial Health’s email environment between June 24, 2020 and January 7, 2021, as a result of responses to phishing emails. The compromised email accounts contained patient names, medical record numbers, driver’s license numbers, financial account information, Social Security numbers, health insurance information, and clinical or treatment information.

Notification letters were sent to affected individuals in October 2021 and complimentary credit monitoring and identity theft protection services were offered to individuals whose Social Security numbers were exposed. The breach affected almost 3,000 Massachusetts residents and was reported to the HHS’ Office for Civil Rights as affecting 209,048 individuals.

The lawsuit, Kesner, et al. v. UMass Memorial Health Care Inc., alleged Umass Memorial Health failed to implement appropriate safeguards to protect patient data and did not issue timely notifications. Umass Memorial Health chose to settle the lawsuit to prevent further legal costs and avoid the uncertainty of trial.  Umass Memorial Health has not admitted to any wrongdoing.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Under the terms of the settlement, class members are entitled to submit claims for reimbursement of ordinary expenses up to $150, which include bank fees, communications charges, and up to three hours of lost time at $25 per hour. Claims may also be submitted for extraordinary losses up to a maximum of $5,000, which can include documented, unreimbursed losses to fraud and identity theft. Class members will also be provided with two years of credit monitoring services. Class members not wishing to take advantage of the benefits will be able to receive a cash payment of $40 in lieu of those benefits.

The deadline for objection to the settlement is March 15, 2023. Claims for the benefits or cash payment must be submitted by April 14, 2023. The final approval hearing is scheduled for May 23, 2023.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist