HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

St. Joseph Health Settles Class Action Data Breach Lawsuit

St. Joseph Health System has settled a class action lawsuit filed by two plaintiffs for the breach of 31,800 patient health records that took place in 2012. A settlement of $15 million will be split between patients and attorneys, with $7.5 million going to patients and $7.5 million covering attorneys’ fees and legal costs. All patients affected by the breach will receive a check for $242.

A $3 million fund has also been set up to cover Identity theft losses that resulted from the exposure of patient health data. Each patient can potentially claim up to $25,000 if they can demonstrate they have suffered losses as a result of the data breach.

The data breach in question lasted almost a year and affected patients from a number of hospitals and medical centers run by St. Joseph Health, including Queen of the Valley Medical Center in Napa, Santa Rosa Memorial Hospital, Petaluma Valley Hospital; St. Jude Medical Center in Fullerton, the Auxiliary of Mission Hospital in Mission Viejo and Laguna Beach, Redwood Memorial Hospital of Fortuna, Saint Joseph Hospital of Orange and Eureka.

Full medical records were not released and Social Security numbers were not exposed, although the names of patients, medical diagnoses, lab test results, medication allergies and personal health information such as body mass indexes were all potentially accessible over the Internet. The data were indexed by search engines such as Yahoo and Google. According to the plaintiffs, the data could easily be found in the search engines, although St. Joseph Health maintained that this would require very specific searched to have been conducted. The data exposure occurred as a result of misconfigured security settings.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

St. Joseph Health System released a statement apologizing for error and for causing undue concern to patients. It was pointed out that patient health data were subsequently secured and were de-indexed from the search engines.

St. Joseph Health has since implemented a number of protections to improve safety and security, which include an enhanced data security infrastructure. The system upgrade to improve security cost St. Joseph Health more than $17 million and a further $4.5 million was spent on providing credit monitoring services to all breach victims.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.