UCLA Health has reached a proposed settlement for a cyber attack that the patient care organization disclosed in 2015.
According to a March 21 news release, “Class-action litigation arising from a cyber attack announced in July 2015 by UCLA Health has been settled by mutual agreement of the plaintiffs and The Regents of the University of California. On February 21, 2019, the judge overseeing the case granted preliminary approval of the proposed settlement, which provides long-term protection for the current and former patients whose personal information was in the attacked computer network.”
Under the proposed settlement terms, UCLA Health admits no wrongdoing. The academic medical center maintains that it was not liable for the cyber attack and that, following an investigation, there continues to be no evidence that the cyber attackers actually accessed or acquired personal or medical information, according to UCLA Health officials.
“The parties are entering into this agreement to avoid the expense of further litigation and to provide benefits to the individuals whose information was maintained in UCLA Health's computer network,” officials stated.
The data breach from 2015 was a massive incident that potentially affected 4.5 million people. The patient data that was breached was not encrypted.
According to a Forbes report at the time, “UCLA Health first noticed suspicious activity on its network in October 2014 and began an investigation with the FBI. On May 5, 2015, UCLA Health was able to confirm that attackers had accessed parts of UCLA Health's network containing patient information, likely beginning in September 2014.”
The proposed settlement terms include:
- Two years of free credit monitoring, identity protection services, an insurance package and related benefits available to all settlement class members even if they previously obtained the one-year credit monitoring package offered by UCLA Health in 2015.
- A $2 million fund that will be used to reimburse settlement class members who incurred costs seeking to protect against, or remedy, identity theft.
- $5.5 million beyond currently budgeted spending—plus any money remaining in the claims reimbursement fund—for the purpose of expediting and implementing cybersecurity enhancements to the UCLA Health computer network.