The South Carolina healthcare network has agreed to settle a 2020 data breach lawsuit for $1.5 million.
What happened
In October 2020, Roper St. Francis Healthcare, a hospital network with over 117 facilities, faced a massive data breach. Employee email accounts were accessed by an unauthorized user between October 14th and October 29th, 2020.
The incident impacted approximately 189,761 patients. The actor accessed 3 email accounts through phishing, obtaining financial and medical information including names, medical record numbers, patient account numbers, dates of birth, treatment and clinical information, and billing information.
What’s new
According to a local news report, a lawsuit was filed against Roper in 2021, alleging that Roper’s negligence had resulted in the breach. The class action suit was led by the Richter Firm, The Solomon Law Group, Slotchiver & Slotchiver, LLC, and Brent Souther Halversen, LLC.
The hospital network has faced several other breaches in recent years, and the lawsuit alleged that the trend showed continued carelessness. Ultimately, Roper St. Francis Healthcare agreed to the settlement, which amounts to approximately $1.5 million. Under the terms, notified individuals may claim up to $325 as reimbursement for related expenses, such as credit costs, bank fees, and lost time. In cases where the victim faced identity theft or fraud, they may be reimbursed up to $3,250. Class members are also entitled to a year of free credit monitoring.
As part of the agreement, Roper St. Francis is not admitting any wrongdoing. The final approval hearing, expected to pass, is scheduled for May 2nd, 2024.
Going deeper
Unfortunately for Roper, this is far from the first data breach the hospital network has faced. They similarly came under fire in June of 2020, when an employee’s email was accessed, resulting in 6,000 patients’ having their data stolen. Information includes names, dates of birth, medical records, clinical and treatment information, and for some, health insurance and Social Security numbers.
Other incidents impacting Roper patients included a January 2019 case that affected 35,253 individuals and a September 2020 incident that impacted 92,963 people. The latter stemmed from a data breach that impacted Blackbaud, a cloud computing provider. More information on the settlement, including how to opt-out, is available online.
What was said
According to one of the Plaintiff's attorneys, Brent Halverson, the lawsuit seeks to “hold Roper accountable for its continued negligent actions in allowing these preventable data breaches from happening and to compensate current and former patients for the harm inflicted.”
Halverson further added, “We seek to provide all patients whose private data was compromised credit monitoring services as partial compensation for the harm each has suffered, not just the handful that Roper thinks are the worst cases.”
The big picture
As cyberattacks become increasingly sophisticated and complex, vulnerable healthcare organizations are finding themselves heavily targeted, often repeatedly.
In the case of Roper, several cyber breaches were the result of phishing, a highly preventable attack vector. Phishing can be strategic for malicious actors, as many employees are not sufficiently trained or aware of the possible implications of interacting with a phishing email. With the right technology, these emails could have been automatically prevented from ever entering an employee's inbox.
Read more: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
