– UCLA Health reached a class-action lawsuit settlement with the 4.5 million current and former patients impacted by its May 2015 health data breach.
The settlement will provide $2 million for unreimbursed loss and preventative measures claims. The remaining $5.5 million will provide a cybersecurity enhancement fund, agreed to by UCLA Health.
The plaintiffs are patients whose personal information was exposed in a hack on the California health system’s network. Officials discovered suspicious activity on the network in October 2014, but at the time it did not appear as if the hackers had gained access to systems containing personal and medical data.
In May 2015, officials said the cyberattack was confirmed to have impacted those systems with patient information, including names, dates of birth, Social Security numbers, Medicaid or health plan identification numbers, and some medical data.
As a result, the impacted patients launched a class-action lawsuit in July 2015. The plaintiffs argued UCLA Health was negligent in its security efforts to protect patient data, which put patients at risk of identity theft.
They claimed the health system failed to report the breach in a timely fashion. Under HIPAA, providers are required to notify patients within 60-days upon breach discovery. Further, they argued the health system should have foreseen the potential for a cyberattack given the prevalence of other security incidents among other “big players” in the health sector.
At the time, the health system faced other accusations of invasion of privacy, breach of contract, negligence, and a violation of several California privacy laws.
Under the settlement, UCLA Health agreed to a number of resolutions. To start, all class action members can sign up for free identity protection services, which will provide two years of coverage.
The health system also agreed to reimburse patients for expenses incurred in their attempts to protect themselves against identity theft, or losses suffered from identity theft and or fraud. In total, patients can receive up to $5,000 for preventive costs and up to $20,000 in losses or damages.
UCLA Health also agreed to update its cybersecurity practices and policies. Patients who wish to claim or object to the settlement must do so by May 20, 2019. Those who need to submit a claim for preventive measures or unreimbursed losses have until June 18, 2019.