Share this article on:
A $350,000 settlement has been reached between Saint Francis Healthcare System and patients impacted by a September 2019 ransomware attack on Ferguson Medical Group (FMG).
FMG was acquired by Saint Francis after a cyberattack that rendered data, including electronic medical records, on FMG systems inaccessible. The decision was taken to restore the encrypted data from backups rather than pay the ransom, and while patient data and other files were recovered, it was not possible to recover all data encrypted in the attack. FMG was unable to restore a batch of data related to medical services provided to patients between September 20, 2018 and December 31, 2018 which has been permanently lost. FMG announced the incident impacted around 107,000 patients, and those individuals were offered complimentary membership to credit monitoring services.
A class action lawsuit was filed against Saint Francis Healthcare in January 2020 in the U.S. District Court of Eastern Missouri which alleged negligence per se, breach of express and implied contracts, invasion of privacy, and violations of the Missouri Merchandise Practices Act. Almost 90,000 of the affected patients added their name to the lawsuit.
While credit monitoring services had been offered to affected individuals, the plaintiffs sought compensation for costs incurred as a result of the data breach and attorneys’ fees. The lawsuit also demanded Saint Francis Healthcare implement additional safeguards to improve data security.
A motion to dismiss the lawsuit was filed by Saint Francis Healthcare in March 2020 as it was claimed the plaintiffs failed to state a plausible cause for relief. The plaintiffs maintained the motion to dismiss lacked merit; however, if the case were to go to trial, the outcome would be unpredictable. Both parties agreed to attempt to settle the case out of court.
The proposed settlement will see all plaintiffs provided with a maximum of $280 to cover out-of-pocket expenses incurred as a result of the breach, additional credit monitoring services, and compensation for time spent protecting their identities.
Saint Francis Healthcare has also agreed to make improvements to security, including reviewing firewall rules, automatically updating its firewall to the latest version and applying patches promptly, restricting remote access to legacy systems, developing and implementing new password management policies, adding multi-factor authentication to its VPN access points, removing RDP from its vendor access solution, implementing geo-blocking for traffic to certain IP addresses, implementing a vulnerability scanning program, and providing more comprehensive cybersecurity training to the workforce.
The settlement now awaits approval from a judge. A conference with District Judge Stephen R. Clark of the District Court of Eastern Missouri is scheduled for November 17, 2020.