Columbus Regional Healthcare Agrees to $1,175,000 Data Breach Settlement
Columbus Regional Healthcare has agreed to a $1,175,000 settlement to resolve litigation stemming from a May 2023 data breach. The breach was detected on May 21, 2023, and the forensic investigation confirmed that hackers had access to parts of its network between May 19, 2023, and May 21, 2024, including systems that contained the personal and protected health information of 132,887 individuals.
The file review was completed on December 28, 2023, and it was confirmed that the data exposed in the incident included names, addresses, birth dates, Social Security numbers, driver’s license information, passport numbers, financial account information, medical histories, and health insurance information. The affected individuals were notified about the data breach in January 2024, and complimentary credit monitoring services were offered to individuals who had their Social Security numbers compromised.
Lawsuits were filed in response to the data breach, which were consolidated into a single lawsuit – In Re: Columbus Regional Healthcare System – in Columbus County, North Carolina. The lawsuit was then removed to the Business Court in Columbus County. The plaintiffs alleged Columbus Regional Healthcare was negligent by failing to implement reasonable and appropriate safeguards to protect the sensitive data stored on its network. The plaintiffs maintained that if reasonable safeguards had been implemented, the data breach could have been prevented. The lawsuit also alleged breach of implied contract, negligence per se, breach of fiduciary duty, intrusion upon seclusion/invasion of privacy, and unjust enrichment.
Prior to extensive motion practice and formal discovery, the parties agreed to mediate in an attempt to minimize costs and time through litigation and came to an agreement on the central terms of a settlement. Columbus Regional Healthcare denied and continues to deny all claims arising from the lawsuit and maintains there was no wrongdoing. The decision to settle the lawsuit was made to avoid the risks, uncertainty, and cost associated with continuing the litigation.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Under the terms of the settlement, a fund of $1,175,000 will be created to cover notice and administration expenses, and awards of attorneys’ fees, expenses, and service awards. Attorneys’ fees are expected to be 35% of the settlement fund. All class members may submit claims for up to $5,000 for reimbursement of documented, unreimbursed out-of-pocket losses incurred as a result of the data breach, plus a pro rata cash fund payment, which is estimated to be around $50. The cash payments may be higher or lower depending on the number of valid claims received. The settlement has received preliminary approval from the court and the final approval hearing is scheduled for April 9, 2025. Claims must be submitted by April 2, 2025.
