June 6, 2023 – Memorial Hospital System Data Breach Lawsuit Settled for $1.75 Million
Memorial Hospital System has agreed to pay $1.75 million to settle the proposed class action detailed on this page, which was consolidated with similar lawsuits on March 30, 2022.
Don’t miss out on settlement news like this. Sign up for ClassAction.org’s free weekly newsletter here.
The deal, once approved by a judge, would cover 216,478 current and former patients who were sent a notice letter of the MHS data breach that occurred between July 10 and August 15, 2021, according to a motion for preliminary approval submitted to the court on May 16, 2023.
Class members who submit a claim with documentation of out-of-pocket losses “reasonably traceable” to the data breach can be reimbursed up to $5,000, the proposed settlement says. Eligible individuals may also submit a claim to receive $25 for every hour spent resolving issues attributable to the data breach, with a cap of $100. No documentation is required to collect lost-time claims.
In addition to these benefits, anyone covered by the settlement can also submit a claim for a $50 cash payment. This amount may be increased or decreased pro rata, or proportionally, depending on how much of the settlement fund is left after the distribution of the out-of-pocket and lost-time benefits, administrative fees, attorneys’ fees and expenses.
Data breach victims covered by the proposed deal are expected to receive direct notice of the settlement via email or mail within 30 days of preliminary approval. Notice recipients can file a claim when the official settlement website—MHSDataSettlement.com—goes live.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.
Memorial Hospital System (MHS) faces a proposed class action over a data breach that reportedly compromised the personal and health information of over 216,000 patients last summer.
The 51-page lawsuit claims the defendant, a network of hospitals, emergency departments and outpatient centers in Ohio, was negligent in maintaining patients’ private information and failed to take the necessary steps to secure the data from unauthorized access. As a result, an unauthorized actor gained entry to the hospital system’s network between July 10 and August 15, 2021, and was able to access files containing the private information of roughly 216,478 patients, the lawsuit alleges.
The information compromised in the breach included patient names, Social Security numbers, medical and treatment information, health insurance details and other protected health data, according to the complaint.
The case alleges defendant Marietta Area Health Care, Inc., who does business as Memorial Hospital System, maintained patient data “in a reckless manner” and left the information “in a condition vulnerable to cyberattack.” Per the lawsuit, the defendant violated both its own promise to keep patients’ data safe and the Health Insurance Portability and Accountability Act (HIPAA), and has subjected data breach victims to an increased risk of identity theft and fraud.
“Plaintiff’s and Class Members’ identities are now at risk because of Defendant’s negligent conduct since the Private Information that MHS collected and maintained is now in the hands of data thieves,” the complaint says.
The lawsuit claims the defendant—whose health system includes Marietta Memorial Hospital; Sistersville General Hospital; Selby General Hospital; Physicians Care Express; Marietta Health Care Physicians, Inc.; Memorial Health Foundation; Marietta Occupational Health Partners; and Marietta Home Health Services & Hospice—discovered on August 14, 2021 that malware had been installed on some of its servers. A subsequent investigation revealed that an unauthorized actor had been able to access MHS’s network for almost an entire month, encrypt patient data, and “hold hostage” the defendant’s system, the suit relays.
The lawsuit alleges that MHS waited over five months—until mid-January 2022—to notify patients whose information was compromised. According to the case, this delay violated the Ohio Security Breach Notification Act, which requires a company to notify victims of a data breach “as quickly as possible” and no later than 45 days after the incident is discovered.
Moreover, the suit claims that because the hackers were able to acquire patients’ data, affected individuals now face an increased risk of identity theft and fraud “and must deal with that threat forever.”
Per the case, MHS failed to comply with cybersecurity guidelines recommended by the Federal Trade Commission, and implement industry-standard data security practices:
“As the result of antivirus and malware protection software in dire need of security updating, inadequate procedures for handling phishing emails or emails containing viruses or other malignant computer code, and other failures to maintain its networks in configuration that would protect against cyberattacks like the ransomware intrusion here, Defendant negligently and unlawfully failed to safeguard Plaintiff’s and Class Members’ Private Information by allowing cyberthieves to access, and hold hostage, MHS’s IT systems, and which contained unsecured and unencrypted Private Information.”
The case looks to represent anyone who utilized MHS’s services and whose private information was maintained on the MHS system that was compromised in the data breach, and who was sent a notice of the data breach.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.
Hair Relaxer Lawsuits
Women who developed ovarian or uterine cancer after using hair relaxers such as Dark & Lovely and Motions may now have an opportunity to take legal action.