Eskenazi Health Pays $2.5 Million to Resolve Class Action Data Breach Lawsuit
Eskenazi Health has agreed to settle litigation stemming from an August 2021 ransomware attack in which the protected health information of more than 1.5 million patients was compromised. The ransomware attack was detected on or around August 4, 2024, when files were encrypted on its systems. The forensic investigation confirmed that a ransomware group first accessed its systems on May 19, 2021, and disabled its security systems, allowing them to remain in its network undetected. The initial investigation found no evidence of data theft; however, data exfiltration was later identified.
Data stolen in the attack included names, addresses, telephone numbers, email addresses, dates of birth, medical record numbers, patient account numbers, diagnoses, clinical information, insurance information, prescriptions, driver’s license numbers, passport numbers, face photographs, Social Security numbers, and credit card information. Patients were notified about the data breach in November 2021 and were offered complimentary credit monitoring services. Eskenazi Health was able to recover the encrypted data from backups and did not pay the ransom. The ransomware group uploaded the stolen data to its data leak site.
Several lawsuits were filed in response to the data breach, with plaintiffs alleging they had fraudulent charges applied to their credit cards following the attack. The lawsuits asserted claims of negligence, breach of contract, and unjust enrichment, and also took issue with the length of time it took to discover the attack and exfiltration of data, and the length of time taken to issue individual notifications about the data breach.
Eskenazi Health chose to settle the consolidated class action lawsuit – In re: Eskenazi Health Data Incident Litigation – with no admission of wrongdoing and agreed to pay $2.5 million to cover claims from class members, who have also been offered three years of credit monitoring and identity theft protection services, which include a $1 million identity theft insurance policy. While the breach was reported to the HHS’ Office for Civil Rights as involving the protected health information of 1,515,918 individuals, claims will only be accepted from the named plaintiffs and a class of approximately 160,000 individuals (employees and patients) whose personal and protected health information was uploaded to the ransomware group’s dark web data leak site.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Class members may submit a claim for reimbursement of out-of-pocket losses and lost time up to a maximum of $5,000 and are entitled to a pro rata share of any remaining funds in the settlement fund after claims have been paid. The settlement has been approved by the court and claims must be submitted by January 27, 2025.
