Elekta Inc. and Northwestern Memorial Healthcare recently agreed to an $8.9 million settlement after a 2021 ransomware attack compromised the sensitive information of over 3.1 million individuals, including genetic data and medical records.
Between April 2 and April 20, 2021, a ransomware attack breached Elekta's cloud-based radiology software, exposing protected health information (PHI). Affected data included names, birth dates, Social Security numbers, health insurance details, medical treatment records, and genetic information. The attack primarily impacted Northwestern Memorial Healthcare, with data from 1.4 million patients, including 201,197 oncology patients, potentially accessed.
The class-action lawsuit consolidated multiple claims, alleging Elekta and Northwestern Memorial Healthcare failed to implement adequate cybersecurity measures to protect patient PHI. Both defendants denied wrongdoing but agreed to settle to avoid further litigation.
Under the settlement terms:
Final settlement approval is set for January 6, 2025, with claims due by December 26, 2024.
According to the Elekta data settlement notice, individuals are included in the settlement if they are “potentially a member of the settlement class if [they] reside in the United States and [their] sensitive information was accessed or potentially accessed in connection with the data incident, including if [they] were mailed a notification letter regarding the data incident.
Healthcare data breaches expose the persistent vulnerabilities in safeguarding PHI. Illinois Genetic Information Privacy Act (GIPA) emphasizes the expanding influence of state-specific privacy laws, complicating compliance for organizations managing genetic data.
Organizations must improve their cybersecurity to prevent breaches and legal fallout. With claims deadlines approaching, affected individuals should act to secure the compensation they are entitled to.
Protected health information (PHI) refers to any information in a medical context that can identify an individual and is related to their health status, medical care, or payment for healthcare services. Examples include their names, addresses, birth dates, Social Security numbers, medical records, lab results, and insurance information.
A breach occurs when an unauthorized party gains access, uses or discloses protected health information (PHI) without permission. Breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.
See also: How to respond to a data breach
Ransomware attacks are a type of cyberattack where hackers gain unauthorized access to a computer, encrypt its data, and demand the return of this data upon payment.
Hackers often target sensitive information like personal, financial, or healthcare data, crippling their operations until the ransom is paid or recovered by other means.
Ransomware typically spreads through phishing emails, malicious links, or software vulnerabilities, exploiting weak cybersecurity defenses. Even after paying the ransom, victims are not guaranteed data recovery.