New Mexico Medical Center Proposes Settlement for Data Breach Lawsuit

by

The San Juan Regional Medical Center (SJRMC) has proposed a settlement to a class-action lawsuit. The lawsuit, Henderson et al. vs San Juan Regional Medical Center, concerned a data breach that affected 68,792 patients.

On September 8, 2020, the New Mexico-based medical center was targeted by hackers who subsequently gained access to their network. While on the network, the hackers accessed files that contained private patient information such as names, dates of birth, Social Security Numbers, passport information, bank account numbers, health insurance information and medical data. Upon detection of the attack, SJRMC offered the affected patients 12 months of complimentary credit monitoring.

However, the lawsuit – filed on behalf of Jeremy Henderson and other patients – alleges that the medical center was negligent in its duty to protect patient data. Though the lawsuit was not filed over a HIPAA violation, it still contests that the lack of security violated HIPAA. The lawsuit also alleges that SRJMC took too long to notify affected individuals about the breach; Henderson was not notified that his information was accessed for more than a year after the attack occurred.

SRJMC has offered to settle the case out of court, though has done so without admitting wrongdoing or accepting liability for the data breach. The settlement covers all patients whose identifiable information was accessed during the attack, as well as those whose Social Security, financial account, driver’s license, or passport numbers had potentially been compromised.

Each of the affected individuals can receive two further years of complimentary credit monitoring alongside identity theft protection services. They are also able to claim up to $2,500 in compensation for losses related to the breach (such as fees for credit reports, credit monitoring services and identity-theft insurance premiums). They may also claim up to $17.50 an hour for lost time spent dealing with the effects of the breach.

Those involved in the lawsuit have until January 9, 2023 to object or ask to be excluded from the settlement. Claims must be submitted by February 8, 2023, and a fairness hearing is scheduled for February 22, 2023.

James Keogh

James Keogh has been writing about the healthcare sector in the United States for several years and is currently the editor of HIPAAnswers. He has a particular interest in HIPAA and the intersection of healthcare privacy and information technology. He has developed specialized knowledge in HIPAA-related issues, including compliance, patient privacy, and data breaches. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681 or email directly at [email protected]