$8.9 Million Data Breach Settlement Agreed by Elekta & Northwestern Memorial Healthcare
An $8.9 million settlement has been agreed to resolve a class action lawsuit over a cyberattack on the radiation therapy and radiosurgery equipment provider Elekta that exposed the protected health information of patients of Northwestern Memorial Healthcare in Illinois.
The cyberattack on Elekta occurred between April 2 and April 20, 2021, and saw unauthorized individuals gain access to Elekta’s cloud-based radiology software and attempt to use ransomware to encrypt files. The attack affected several of its U.S-based customers, including Northwestern Memorial Healthcare, which reported that the data of up to 201,197 oncology patients had potentially been obtained in the attack.
Lawsuits were filed in response to the data breach that named Carla Tracy, Darryl Bowsky, and. Deborah Harrington as plaintiffs, which were consolidated into a single action – Tracy v. Elekta Inc., et al – in the U.S. District Court for the Northern District of Georgia. The plaintiffs alleged negligence, negligence per se, intrusion upon seclusion/invasion of privacy, breach of implied contract (Northwestern), breach of contract (Elekta), and a violation of the Illinois Genetic Information Privacy Act (GIPA).
The plaintiffs alleged that the defendants were fully aware of their obligations to protect sensitive patient data; however, implemented inadequate security measures, which allowed the ransomware group to breach systems and steal sensitive patient data such as names, dates of birth, Social Security numbers, medical treatment information, genetic information, and health insurance information.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The defendants maintain there was no wrongdoing; however, chose to settle the lawsuit to bring the litigation to an end to avoid further legal costs and the uncertainty of trial. Under the terms of the settlement, individuals who received a notification that they were affected by the data breach are entitled to submit a claim. Claims may be submitted for up to $5,000 for reimbursement of documented out-of-pocket expenses incurred as a result of the data breach, including bank fees, credit costs, and losses to fraud. Claims may also be submitted for a cash payment which will be paid pro rata after legal costs and expenses, attorneys’ fees, and service awards have been deducted. Cash payments are capped at $1,000 per class member. Members of the GIPA subclass are entitled to claim a further cash payment, also capped at $1,000 per claimant
The settlement has received preliminary approval from the court and the final approval hearing has been scheduled for January 6, 2025. The deadline for objection to and exclusion from the settlement has now passed. The deadline for submitting claims is December 26, 2024. Plaintiffs and class members were represented by Bryan L. Bleichner of Chestnut Cambronne PA and Terence R Coates of Markovits Stock & Demarco LLC.
