Mercy Health Agrees to Pay $1.8 Million to Settle Insider Data Breach Lawsuit
Mercy Health has agreed to a $1.8 million settlement to resolve all claims related to a 2020 HIPAA compliance data breach that affected 11,187 individuals. In contrast to the majority of class action data breach lawsuits, legal action was taken over an insider data breach rather than a cyberattack.
Mercy Health, a health system serving patients in northern Illinois and southern Wisconsin, learned on October 7, 2020, that an employee had accessed patients’ medical records on multiple occasions when there was no legitimate work reason for doing so. The compromised patient information included names, addresses, dates of birth, other demographic information, medical record numbers, treatment and other clinical information and/or radiological images, and for a subset of individuals, health insurance numbers.
Mercy Health notified the affected individuals in December 2020 and confirmed that the employee no longer works for Mercy Health and enhancements had been made to prevent similar incidents in the future. Mercy Health offered the affected patients free credit monitoring services and has not received any reports of fraud or misuse of patient data as a result of the breach.
The lawsuit was filed in the circuit court of the county of St. Louis by T.D. and Monica Gama, who were patients of Mercy Health at the time of the breach. They alleged that Mercy Health was negligent due to the failure to implement reasonable and appropriate cybersecurity measures and access controls. They alleged that if those measures had been in place, the data breach could have been avoided.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Mercy Health disagreed with the claims and denied any wrongdoing and settled the lawsuit to avoid further legal costs and the uncertainty of trial. Under the terms of the settlement, class members can claim a flat payment of $90 or they can submit a claim for documented expenses and lost time due to the data breach up to a maximum of $300 per class member, which can include up to 5 hours of lost time at $30 per hour. Class representatives are eligible to receive a $5,000 service payment and class counsel will receive $600,000.
The deadline for objection to and exclusion from the settlement is June 10, 2024, as is the deadline for submitting a claim. The final hearing is scheduled for June 18, 2024.
