Health Care Service Corporation and Schneck Medical Center Face Lawsuit

HIPAA Lawsuit Against Schneck Medical Center Resolved

Schneck Medical Center based in Seymour, IN has resolved a lawsuit with Attorney General Todd Rokita of Indiana, regarding a ransomware attack and data breach in 2021 that impacted 89,707 Indiana locals. Schneck Medical Center has consented to pay a fine of $250,000 to take care of supposed violations of the Health Insurance Portability and Accountability Act (HIPAA) and state legislation and will put in place extra safety measures to avoid more data security breaches.

Based on the lawsuit, Schneck Medical Center performed a risk analysis last December 2020 which showed a lot of critical safety concerns, however, Schneck Medical Center did not deal with them. Nine months afterward, on or about September 29, 2021, a malicious actor exploited security vulnerabilities and acquired access to the system, extracted sensitive patient information, and then used ransomware for file encryption. The data stolen in the ransomware attack contained names, addresses, birth dates, driver’s license numbers, Social Security numbers, financial account data, payment card details, diagnoses, and medical insurance data.

Schneck Medical Center immediately alerted patients about the cyberattack by publishing a statement on its webpage on September 29, 2021; nevertheless, the Indiana AG claimed that Schneck Medical Center did not reveal to the patients the risk at hand and didn’t urge them to do something to secure themselves against identity theft and fraud, even if Schneck Medical Center knew during the time that a great quantity of sensitive information was stolen.

On November 26, 2021, two months later, Schneck Medical Center released another statement confirming the theft of files during the attack; nevertheless, Schneck Medical Center did not make known the exposure of protected health information (PHI), in spite of knowing that PHI was stolen. Schneck Medical Center additionally did not send prompt individual notification letters, which weren’t mailed before May 13, 2022, that is 226 days after discovering the data breach. Schneck Medical Center additionally stated in a May 13, 2022 substitute breach notice about discovering the stolen data on March 17, 2022, when Schneck Medical Center knew on September 29, 2021 about the data theft.

The Indiana attorney general charged the healthcare provider with multiple violations of the HIPAA Privacy Rule, Security Rule, Breach Notification Rule, the Indiana Deceptive Consumer Sales Act, and the Indiana Disclosure of Security Breach Act. Aside from the financial charges, Schneck Medical Center needs to employ a data security program in 90 days to deal with all discovered security problems, create and put in place an incident response plan to guarantee a prompt and HIPAA-compliant resolution to upcoming security occurrences, and give data security and privacy training to all persons who get access to personal data or PHI.

Patients’ Losses to Be Paid by Schneck Medical Center

Schneck Medical Center has additionally recently paid $1.3 million to resolve a consolidated class action lawsuit. Two lawsuits were filed by patients Jalen Nierman, Jennifer Renoll, Bryce Sheaffer, Patricia White, and Nigel Myers because of a ransomware attack and data breach seeking compensation for the security breach. The plaintiffs claimed Schneck Medical Center did not apply acceptable and suitable safety measures to ensure the privacy of patient information. Schneck Medical Center consented to a settlement without admitting wrongdoing.

As per the stipulations of the settlement, class members can claim as much as $500 in regular expenditures, which include around 4 hours of lost time worth $15 an hour. People who sustained extraordinary expenditures because of the data breach can get as much as $6,000. Claims can be paid pro rata, based on the number of claims submitted. The settlement likewise includes complimentary credit monitoring and identity theft protection services for 27 months and identity theft insurance coverage worth $1 million.

Class Action Data Breach Lawsuit Filed Against Health Care Service Corporation

Health insurance company and Blue Cross Blue Shield licensee, Health Care Service Corporation (HCSC) based in Chicago, IL, is facing a lawsuit filed over a newly disclosed data breach that impacted 192,231 of its clients.

HCSC encountered a cyberattack on or about June 21, 2023, and confirmed that the threat actors got access to member data including names, addresses, telephone numbers, email addresses, birth dates, Social Security numbers, bank account numbers, claim numbers, and medical service data. Affected individuals received notification letters on August 21, 2023.

The filed lawsuit in the Circuit Court of Cook County in Illinois was made on behalf of plaintiff Elizabeth Slaughter and other likewise situated persons. The lawsuit claims HCSC ignored the legal rights of the plaintiff and class members by deliberately not taking and implementing enough and appropriate measures to make sure to safeguard PHI/PII, for example, encrypting information on its system, and HCSC didn’t fulfill its data security responsibilities as per the HIPAA.

The plaintiff claims she wasn’t informed concerning the data breach before August 24, 2023, over 2 months after the cyberattack happened, and that she was ignorant that the defendant even got her information up to when she acquired the letter in the mail. The plaintiff claims she endured hurt because of the data breach by means of needing to spend time and money keeping herself against identity theft and fraud and will need to always do so for later on. The plaintiff additionally claims she has experienced an injury as a result of losses to and diminution in the worth of her PHI/PII and states her anxiety was even made worse after getting hold of her personal information and had been published to a minimum of one dark web site.

The lawsuit claims negligence, breach of the implied covenant of good faith and fair dealing, breach of implied contract, and unjust enrichment and seeks a jury trial, class-action status, and actual, nominal, and consequential damages. The lawsuit additionally seeks an order from the court to stop HCSC from doing unlawful activities. The injunctive relief includes security protection like data encryption, regular vulnerability scanning and security checks, and security awareness training for the employees with checking of employees’ knowledge.

Kevin Laukaitis of the law company, Laukaitis Law LLC, and attorney Joseph J . represented the plaintiff and class members.

Link copied to clipboard
Photo of author

Posted by

Mark Wilson

Mark Wilson is a news reporter specializing in information technology cyber security. Mark has contributed to leading publications and spoken at international forums with a focus on cybersecurity threats and the importance of data privacy. Mark is a computer science graduate.