HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Salinas Valley Memorial Healthcare Settles Email Data Breach Lawsuit for $340K

Salinas Valley Memorial Healthcare System in California has agreed to settle a class action lawsuit for $340,000 to resolve claims from patients affected by a breach of its email environment in 2020.

Between April 30, 2020, and June 5, 2020, unauthorized individuals gained access to the email accounts of four employees and a contractor following responses to phishing emails. Prompt action was taken to secure its email environment, but during the 5-week period of compromise, the attacker(s) had access to emails containing sensitive patient information including names, hospital account numbers, medical record numbers, dates of service, and other information.

Legal action was taken against Salinas Valley by a patient affected by the data breach. The plaintiff alleged that Salinas Valley acted unlawfully by failing to prevent the attack, did not fulfill its legal obligations to safeguard the personal and protected health information of the plaintiff and class members, and violated the California Confidential Medical Information Act, Civil Code §§ 56 et seq.

Salinas Valley maintains it was fully compliant with state laws and denied any wrongdoing related to the security breach; however, the decision was taken to settle the lawsuit to prevent ongoing legal costs and the uncertainty of trial.  Under the terms of the proposed settlement, a fund of $340,000 has been created to cover claims from individuals affected by the breach.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

All patients who received a breach notification from Salinas Valley about the exposure of their personal and protected health information will be entitled to submit a claim for up $750 for out-of-pocket expenses and time spent remediating the data breach. Claims will be paid from the fund after attorneys’ fees, expenses, and other court-approved costs have been deducted. Claims will be paid pro rata if the claims total is greater than the settlement fund. The settlement has yet to receive court approval.

Salina valley has also committed to improving security, with the measures including undergoing third-party audits and regular penetration tests, maintaining firewalls and access controls, and providing regular security awareness training to the workforce.

Claims must be submitted no later than August 26, 2022. Any individual who objects to the settlement or wants to remove themselves from the class must do so by August 11, 2022.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.