St. Joseph Health Settles Class Action Data Breach Lawsuit

March 16, 2016

Irvine, Calif.-based St. Joseph Health System has settled a class action lawsuit filed by two plaintiffs after the breach of 31,800 patient health records in 2012, as reported by the Orange County Register. The settlement, finalized last month in California Superior Court in Orange County, provides a total cash payment of $7.5 million to participating settlement class members, 31,074 plaintiffs, who will each receive roughly $241.

Healthcare Informatics obtained a copy of the court document through the webpage, www.sjhsdatabreachclassaction.com, posted on the website of Kurtzman Carson Consultants (KCC), a class action settlement administrator.

The court document indicates that on February 13, 2012, St. Joseph Health System sent letters to approximately 31,802 of its patients, notifying them that it had inadvertently made their personal health information publicly accessible on the Internet, which allowed outside search engines to have access to the information. The information was accessible for a year, from February 2011 to February 2012.

“The letter stated that the type of information accessible included the following: diagnoses lists, active medication lists, lab results, medication allergies, body mass index (BMI), blood pressure, smoking status, advance directive status and demographic information, including spoken language, ethnicity, race, gender and birth date,” the court document stated.

The court documents state the in the lawsuit plaintiffs alleged that four causes of action by the health system led to the data breach: violation of the Confidentiality of Medical Information Act (CMIA); negligence; money had and received; and violation of the California Unfair Competition Law (UCL), California Business and Professionals Code, Section 17200. However, the court documents do not indicate how the patient health data become searchable on internet search engines.

And, the court documents indicates that a $3 million fund has been established to cover identity theft losses resulting from the exposure of patient health data. Each patient can apply for up to $25,000 if they suffered identity theft losses as a result of the data breach.

The court documents also indicate that St. Joseph also offered one year of identity theft and credit monitoring to 31,802 patients affected by the breach, which totaled $4.5 million. And, the health system spent $13 million to institute policies to comply with state and federal authorities and instituting numerous security-related remedial measures. And, St. Joseph also must pay $7.4 million in attorney’s fees and costs.

According to the article in the Orange County Register, the breach primarily involved patients of St. Jude Medical Center in Fullerton and Mission Hospital in Mission Viejo and Laguna Beach. But roughly one-third of the patients were treated at other St. Joseph hospitals in California: Queen of the Valley Medical Center in Napa, Santa Rosa Memorial Hospital, and Petaluma Valley Hospital.

The Orange County Register article also cited a statement released by the health system in which St. Joseph Health System leadership said they regretted “any undue concern to our patients” and said addresses, Social Security numbers and financial data were not released. The health system also said the information was removed from search engines.

“Additionally since the situation was discovered, we have invested in a number of initiatives to ensure the continued security of patient data, including enhanced data security infrastructure. These measures and more are intended to provide for the safety and security of our patients’ information,” the statement from St. Joseph Health System said, as quoted by the Orange County Register.