MedStar Mobile Healthcare has proposed a settlement following a privacy breach that took place in 2022.
What happened
In 2022, MedStar Mobile Healthcare, operating emergency and non-emergency ambulance services in Tarrant County, Texas, announced that they were the victim of a cyberattack.
They first noticed suspicious network activity on October 20th, 2022, and filed the notice on December 19th. They later confirmed parts of the network storing patient data were compromised.
According to a local news source, the breach was an IT-related hacking incident. At the time it occurred, only their 911 computer-aided dispatch and patient care reporting systems had been impacted. They were able to restore data using backup systems and quickly brought operations back to normal. Through an investigation, they determined that hackers gained access to 612,000 individual’s data, including names, contact information, dates of birth, and some medical information.
What’s new
Notifications were sent to impacted individuals. Soon after, a class action lawsuit, Kaether v. Metropolitan Area EMA Authority d/b/a MedStar Mobile Healthcare, was filed in a Texas District Court.
The lawsuit alleged that MedStar was negligent in securing patient data, resulting in the breach. The lawsuit also alleged that MedStar breached their implied contract with patients, was involved in public disclosure of private facts, negligence per se, breach of fiduciary duty, and unjust enrichment.
Now, MedStar has agreed to settle the lawsuit with no admission of liability or wrongdoing. They have agreed to pay an unspecified sum to cover all claims from the individuals impacted by the breach. A small number of the individuals also had HIPAA covered health information exposed.
Going deeper
The terms of the settlement state that individuals who were notified about the breach and had to pay for losses traceable to the breach may submit claims up to $3,000. Reimbursable costs may include travel expenses, phone calls, bank fees, credit costs, and identity theft or fraud losses. Those whose HIPAA covered data was exposed can also submit a claim of $20/hour for up to 4 hours.
In order to be reimbursed, individuals must have documentation to support their claim. All class members will also receive free credit monitoring and identity theft insurance. A final hearing is scheduled for April 3rd, 2024.
Why it matters
MedStar joins many other organizations that have faced class action lawsuits in response to breaches. As the public grows increasingly aware of privacy laws, many healthcare organizations have come under fire for failing to uphold security standards.
The case is a harsh reminder of the importance of securing personal health data. Not only can a breach impact the ability of a health clinic to function, but it can have lasting financial implications for impacted organizations.
The big picture
As cases like these continue to become the norm, we can expect more healthcare organizations to be in legal trouble if their systems need to be more secure.
According to one study, over 90% of cyberattacks begin with a phishing email, as many employees are ill-trained in responding to phishing. While we don’t know how this attack began, organizations should do everything possible to prevent all forms of attack, including phishing.
Related: HIPAA Compliant email: The Definitive Guide
Abby Grifno
