BJC Healthcare Settles Data Breach Lawsuit Stemming from 2020 Phishing Attack

BJC HealthCare has agreed to settle a class action lawsuit to resolve claims it failed to adequately protect patient data from phishing attacks. The nonprofit St. Louis-based hospital system reported a breach of its email system to the HHS’ Office for Civil Rights on May 5, 2020, that affected 287,876 individuals. The investigation confirmed that three email accounts had been compromised in March 2020 as a result of responses to phishing emails. While data theft could not be determined, the affected email accounts contained the protected health information of patients of 19 of its hospitals, including names, birth dates, health insurance information, Social Security numbers, driver’s license, and healthcare data.

The lawsuit, filed in the Circuit Court of the City of St. Louis State of Missouri, originally included 10 counts against the defendants and survived two motions to dismiss, with the lawsuit allowed to proceed on 8 of the 10 counts: unjust enrichment, breach of contract, negligence, negligence per se, breach of covenant of good faith and fair dealing, vicarious liability, and violations of the Missouri Merchandising Practicing Act (MMPA) and Illinois Consumer Fraud and Deceptive Business Practices Act (ICFA).

BJC HealthCare agreed to settle the lawsuit with no admission of liability or wrongdoing. Under the terms of the settlement, BJC HealthCare will make funds available to cover claims from affected individuals up to a maximum of $5,000. Each individual affected may submit a claim for ordinary and extraordinary expenses incurred as a result of the data breach.

Claims can be submitted for ordinary expenses such as bank fees, interest, credit monitoring costs, postage, mileage, and up to 3 hours of lost time at $20 per hour. Ordinary claims are capped at $250 per person. Claims of up to $5,000 can be submitted for extraordinary expenses, including documented monetary losses and up to three hours of additional lost time at $20 per hour. BJC Healthcare has also agreed to cover the cost of two years of credit monitoring and identity theft protection services. Named plaintiffs will receive up to $2,000 and BJC HEalthCare will cover the plaintiffs’ legal costs. BJC HealthCare has committed $2.7 million to cover the cost of implementing multi-factor authentication for its email accounts to improve protection against phishing attacks.

Please see the HIPAA Journal Privacy Policy

Claims must be submitted by Dec. 14, 2022. The final approval hearing for the settlement is on Sept. 6, 2022.

In May 2022, BJC HealthCare reported another email breach to the HHS’ Office for Civil Rights. The incident was reported as affecting 500 individuals – a common placeholder used until the exact number of affected individuals is determined. The breach occurred two months previously.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.