$185,000 Settlement Proposed to Resolve Grays Harbor Community Hospital Ransomware Lawsuit

A proposed settlement has been agreed between Grays Harbor Community Hospital and Harbor Medical Group and the representative plaintiff in a proposed class action lawsuit over a June 2019 ransomware attack that resulted in the encryption of patient data.

The settlement was negotiated by the plaintiff and Grays Harbor to avoid the uncertainty of a trial and the costs of further litigation. The settlement was not decided in favor of either party by the Court.

The ransomware attack that prompted the lawsuit was detected in June 2019. The Washington healthcare provider powered down its systems to contain the virus that had prevented servers from being accessed, but not in time to prevent its computer systems from being encrypted. Grays Harbor had backed up its data for such an eventuality, but the backup files were also encrypted in the attack. The attack took its electronic health record system offline for around two months.

A ransom demand of $1 million was demanded by the attackers for the keys to decrypt the data. Gray’s Harbor had an insurance policy that provided cover of up to $1 million, although it is unclear whether that insurance policy paid out and if the ransom was paid. Regardless, it was not possible to recover all data encrypted in the attack and some patients’ protected health information was not recovered.

The lawsuit alleged violations of the Washington State Consumer Privacy Act, the Washington State Uniform Healthcare Information Act, the Washington State Consumer Privacy Act, the state Constitution’s Right to Privacy, that Grays Harbor Community Hospital and Harbor Medical Group were negligent for failing to protect the privacy of patients, breach of express contract, breach of implied contract, and an intrusion upon seclusion/ invasion of privacy.

Grays Harbor Community Hospital and Harbor Medical Group agreed to the settlement with no admission of liability. All claims stated in the lawsuit have been denied.

Grays Harbor Community Hospital and Harbor Medical Group proposed a settlement of $185,000 to cover the claims of the 88,000 patients affected by the ransomware attack. Affected patients can submit claims up to a maximum of $210 per person to cover out-of-pocket monetary losses incurred as a result of the breach and up to three hours of documented lost time dealing with the fallout from the breach at a rate of $15 per hour.

Claims up to $2,500 will also be accepted to cover provable other losses incurred that were more likely than not due to the ransomware attack. All available credit monitoring insurance and identity theft insurance must be exhausted before Grays Harbor is responsible for any larger payouts. If the claims exceed $185,000 they will be paid pro rata to reduce costs.

Class members have until July 27, 2020 to exclude themselves from the settlement or submit an objection. A fairness hearing has been scheduled for August 31, 2020. To receive a share of the settlement fund, a claim must be submitted by December 23, 2020.

Following the ransomware attack, steps were taken to improve security and more than $300,000 has been invested in information security. A further $60,000 will be spent on security improvements over the next three years.

This is the second data breach settlement to be announced this week. A settlement was also proposed by UnityPoint health to resolve a lawsuit filed by victims of two 2018 phishing-related data breaches. That settlement will see UnityPoint Health make a minimum of $2.8 million available to cover claims and, very unusually, no cap has been placed on claims payments, so the final settlement amount could be substantial.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.