[BreachExchange] UCLA Health Reaches $7.5M Settlement Over 2015 Breach of 4.5M

Destry Winant destry at riskbasedsecurity.com
Fri Mar 22 08:54:23 EDT 2019


UCLA Health reached a class-action lawsuit settlement with the 4.5
million current and former patients impacted by its May 2015 health
data breach.

The settlement will provide $2 million for unreimbursed loss and
preventative measures claims. The remaining $5.5 million will provide
a cybersecurity enhancement fund, agreed to by UCLA Health.

The plaintiffs are patients whose personal information was exposed in
a hack on the California health system’s network. Officials discovered
suspicious activity on the network in October 2014, but at the time it
did not appear as if the hackers had gained access to systems
containing personal and medical data.

In May 2015, officials said the cyberattack was confirmed to have
impacted those systems with patient information, including names,
dates of birth, Social Security numbers, Medicaid or health plan
identification numbers, and some medical data.

As a result, the impacted patients launched a class-action lawsuit in
July 2015. The plaintiffs argued UCLA Health was negligent in its
security efforts to protect patient data, which put patients at risk
of identity theft.

They claimed the health system failed to report the breach in a timely
fashion. Under HIPAA, providers are required to notify patients within
60-days upon breach discovery. Further, they argued the health system
should have foreseen the potential for a cyberattack given the
prevalence of other security incidents among other “big players” in
the health sector.

At the time, the health system faced other accusations of invasion of
privacy, breach of contract, negligence, and a violation of several
California privacy laws.

Under the settlement, UCLA Health agreed to a number of resolutions.
To start, all class action members can sign up for free identity
protection services, which will provide two years of coverage.

The health system also agreed to reimburse patients for expenses
incurred in their attempts to protect themselves against identity
theft, or losses suffered from identity theft and or fraud. In total,
patients can receive up to $5,000 for preventive costs and up to
$20,000 in losses or damages.

UCLA Health also agreed to update its cybersecurity practices and
policies. Patients who wish to claim or object to the settlement must
do so by May 20, 2019. Those who need to submit a claim for preventive
measures or unreimbursed losses have until June 18, 2019.

More information about the BreachExchange mailing list