[BreachExchange] Some Easton Hospital patients may get compensated for data breach

Destry Winant destry at riskbasedsecurity.com
Mon Feb 4 07:32:34 EST 2019


https://www.mcall.com/business/mc-biz-easton-hospital-former-owner-china-cybertheft-20190201-story.html

An unspecified number of Easton Hospital patients whose data were
stolen by hackers in 2014 might be eligible for some compensatation.

How much? It depends.

Lehigh Valley residents have begun receiving notices about a court
settlement involving Easton Hospital’s former owner, Community Health
Systems, over the breach, which occurred in April and June 2014.

That August, CHS and Easton Hospital said some patients’ personal
information was stolen in a cyber theft believed to have originated in
China. CHS, which is based in Franklin, Tenn., said the thieves stole
personal data belonging to 4.5 million patients throughout the
hospital network.

Locally, the stolen information involved patient names, addresses,
birthdates, telephone numbers and Social Security numbers and affected
people who were referred to — or received services from — doctors
affiliated with Easton Hospital via Northampton Physician Services in
Bethlehem Township. The hospital said all affected patients had been
notified and were offered free identity theft protection.

On Friday, officials with CHS and Easton Hospital, which is now owned
by Dallas-based Steward Health Care, did not return messages seeking
comment. CHS denies any wrongdoing, according to the notice sent to
patients.

The data breach led to a number of lawsuits, and those cases were
consolidated before a federal judge in the Northern District of
Alabama. The judge must still approve the settlement. Attorneys
representing CHS and the plaintiffs did not return messages seeking
comment.

The settlement would provide two types of payments for qualifying
patients: Up to $250 for out-of-pocket expenses and documented time
lost from the breach; or up to $5,000 for losses due to identify fraud
or dentity theft from the cyberattack.

Patients must file a compensation claim form by Aug. 1. A hearing is
scheduled for Aug. 13 for the judge to rule on the settlement. More
information is at 877-393-1072, or chspscsettlement.com.

Patients can also file by May 18 to be excluded from the settlement or
to object to it.

The 2014 cyberattack was considered the largest of its type involving
patient information since a U.S. Department of Health and Human
Services website started tracking such breaches in 2009. The previous
record — an attack on a Montana Department of Public Health server —
was disclosed in June and affected about 1 million people.


More information about the BreachExchange mailing list