UCLA Health has agreed to pay a $7.5 million settlement to resolve a class action lawsuit that was filed on behalf of victims of data breach in October 2014.
UCLA Health noticed suspicious activity on its system in October 2014 and requested the assistance of FBI in the investigation. The forensic investigation affirmed hackers had accessed its network, though back then it was thought that the parts of the network storing patients’ medical data were not accessed. But on May 5, 2015, UCLA said the hackers succeeded in accessing parts of the network which housed patients’ protected health information (PHI) and potentially viewed or copied names, addresses, birth dates, Medicare IDs, medical insurance data and Social Security numbers. The breach affected a total of 4.5 million patients.
The investigation by the Department of Health and Human Services’ Office for Civil Rights into the incident revealed UCLA Health had the appropriate breach response and had implemented the technical and administrative safeguards to enhance security after the breach was experienced.
OCR did not issue a financial penalty to UCLA Health, but a class action lawsuit was filed against UCLA Health by some of the patients whose PHI had been exposed. The plaintiffs claimed that UCLA Health did not notify them about the breach promptly, there was a breach of contract, violations of the state’s privacy laws, and that UCLA Health was negligent for failing protect patient privacy.
UCLA Health sent breach notifications to patients on July 15, 2015. While this was in keeping with HIPAA requirements of sending notifications within 60 days from discovery of a breach, the plaintiffs thought that UCLA Health should have notified them more rapidly, especially since the breach had happened 9 months previously.
It is stipulated in the terms of the settlement that all affected patients are entitled to get two years of credit monitoring and identity theft protection services free of charge. Patients can also submit a claim to recover costs they have incurred for protection against unauthorized use of their private and health data. They may also submit a claim to get recover losses due to fraud and identity theft.
Claims can be submitted for up to $5,000 for costs incurred from protecting their identities and up to $20,000 for losses or damages due to identity theft and fraud. UCLA Health set aside $2 million of the $7.5 million settlement to take care of patients’ claims. The remaining $5.5 million will be used for improving UCLA Health’s cybersecurity defenses.
Patients can submit an objection to the settlement until May 20, 2019. Submission of preventative measure claim forms is allowed until June 18, 2019 and enrollment of patients in the no cost credit monitoring and identity theft protection services is permitted until September 16, 2019. Submission of claims for reimbursing losses is allowable until June 18, 2021. The final court hearing on the settlement is slated for June 18, 2019.