Settlement to Resolve Nebraska Medicine Data Breach Lawsuit Receives Preliminary Approval

In September 2020, Nebraska Medicine and the University of Nebraska Medical Center discovered their systems had been hacked and malware had been downloaded to its network that gave hackers access to the protected health information of up to 219,000 individuals. The attack forced Nebraska Medicine to shut down its systems causing disruption to operations.

Hackers first gained access to Nebraska Medicine’s systems on Aug 27, 2020 and had access to its systems and patient data for 24 days. Access was terminated by Nebraska Medicine on Sept. 20, 2020. During that time, the lawsuit alleged patient data was exfiltrated by the attackers. The breach affected patients of Nebraska Medicine, Faith Regional Health Services, Great Plains Health, and Mary Lanning Healthcare.

On February 24, 2021, a class action lawsuit was filed against Nebraska Medicine in the Nebraska U.S. District Court by two patients alleging Nebraska Medicine was negligent for failing to maintain an adequate data security system to reduce the risk of cyberattacks and data breaches. The plaintiffs sought damages, restitution, and injunctive relief.

The lawsuit alleged cyber hygiene best practices had not been followed and multiple security failures had contributed to the breach. The plaintiffs alleged Nebraska Medicine had not performed security updates or implemented patches for known vulnerabilities promptly, user account privileges had not been checked, the principle of least privilege was not followed, domain wide, admin-level service accounts were in use, and password policies had not been implemented or followed. The lawsuit also alleged Nebraska Medicine was not properly monitoring its systems for intrusions, hence why it took more than 3 weeks for the intrusion to be discovered.

As a result of those failures, patient data was not adequately protected and the hackers were able to steal a range of sensitive data including patients’ names, contact information, medical record numbers, Social Security numbers, health insurance information, and clinical information, which placed them at an elevated risk of identity theft and fraud.

Nebraska Medicine decided to settle the lawsuit and the proposed settlement has recently been given preliminary approval by a Nebraska District Court judge.

Under the terms of the settlement, all class members will be entitled to claim $300 in cash reimbursements for the time and expenses they incurred while dealing with the data breach. In addition, class members can claim up to $3,000 to cover documented “extraordinary monetary losses” most likely resulting from the data breach. Nebraska Medicine had already offered affected individuals access to complimentary credit monitoring services, with the settlement extending coverage for a further 12 months.

While the breach was reported to the Department of Health and Human Services’ Office for Civil Rights as affecting up to 219,000 individuals, the settlement covers 125,902 patients who were mailed breach notification letters, including 13,497 patients whose Social Security number and/or driver’s license number was compromised.

Nebraska Medicine has also agreed to take several steps to improve security, including enhancing its user-identity, email, and password protocols, limiting remote access to its systems and enhancing security for remote access, and strengthening its network security measures, including updating endpoint security, firewalls, and improving vulnerability management practices. Nebraska Medicine will also undergo more frequent and enhanced risk assessments and will update and enhance its security operations center.  Nebraska Medicine will also cover all legal costs arising from the lawsuit and settlement notices.

A final hearing of approval has been scheduled for September 15, 2021.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.