California Department of Corrections and Rehabilitation Settles 2022 Data Breach Lawsuit
The California Department of Corrections and Rehabilitation (CDCR) has agreed to settle a class action lawsuit that alleged negligence for failing to prevent a 2022 data breach. The potential CDCR data breach occurred in January 2022, when hackers breached CDCR systems that contained the personally identifiable information (PII) and protected health information (PHI) of individuals incarcerated in the State of California.
The data exposed in the incident included COVID-19 testing data from June 2020 to January 2022, the mental health information of inmates in the Mental Health Services Delivery System dating back to 2008, and information in the Trust, Restitution, Accounting, and Canteen System (TRACS) was also potentially involved. No evidence was found to indicate data theft and it was not possible to tell exactly what types of information were impermissibly accessed in the incident. The breach was reported to the HHS’ Office for Civil Rights as involving the protected health information of up to 236,000 individuals.
A CDCR class action lawsuit was filed in response to the data breach on behalf of plaintiff William Henry Thomas, who is currently incarcerated at Folsom State Prison, and other similarly situated individuals. The CDCR lawsuit – Thomas, et al. v. California Department of Corrections and Rehabilitation, et al – alleged insufficient safeguards had been implemented to prevent unauthorized access to inmates’ data.
It is rare for any healthcare data breach class action lawsuit to go to trial and the CDCR data breach class action lawsuit was no exception. The settlement was proposed to avoid the risks, costs, and uncertainty associated with continued litigation. CDCR denied and continues to deny the claims in the lawsuit and the settlement does not include any admission of wrongdoing or liability. The CDCR settlement will see a $1.8 million settlement fund created to cover claims from individuals affected by the CDCR data breach. After attorneys’ fees, legal costs, class representative awards, and expenses have been deducted from the settlement fund, the remainder will be divided equally between all members of the settlement class. Legal fees are expected to be around one-third of the settlement fund.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
All individuals who received a postcard notice about the settlement do not need to submit a claim and will be automatically allocated their share of the settlement. Individuals who did not receive a postcard notice and who are members of the class are required to file a claim to receive their share of the settlement. The deadline for submitting those claims is February 14, 2025, and the final approval hearing was scheduled for March 7, 2025; however, it has now been changed to April 25, 2025, at 9.00 a.m. The CDCR data breach settlement payout date is unclear at this time. The settlement administrator will pay out all valid claims after the settlement receives final approval from the court.
There has been an increase in class action lawsuits following healthcare data breaches. It is now common for multiple class action lawsuits to be filed in response to a data breach, and not just for large data breaches such as the massive data breach at Change Healthcare in 2024. Even relatively small lawsuits see class action lawsuits filed, and class action data breach settlements can be substantial. Last year, GoodRx settled a consolidated class action data breach lawsuit for $25 million, and Lehigh Valley Health Network settled a class action data breach lawsuit for $65 million. Healthcare organizations are also facing increased scrutiny of data breaches by regulators, with financial penalties imposed by state attorneys general and the HHS’ Office for Civil Rights for HIPAA violations. Last year, OCR closed at least 22 investigations of data breaches with civil monetary penalties or settlements.
