What happened
Columbus Regional Healthcare System (CRHS) in Whiteville, North Carolina recently reached a class action lawsuit settlement with victims of a 2023 data breach.
The breach, which took place between May 19th, 2023, and May 21st, 2023, impacted approximately 132,887 patients.
Since then, CRHS has been embroiled in a class action suit alleging that the healthcare system was negligent, and that this negligence led to the data breach.
Now, the two parties have reached a proposed settlement of 1.175 million for victims. A final approval hearing is scheduled for April 9th, 2025.
Going deeper
According to the lawsuit, the plaintiff claimed that they felt a direct impact following the data breach, including:
- An attempt made to use their debit card without authorization.
- A credit card opened in the plaintiff’s name without permission.
- An attempt to place an order on the plaintiff’s Amazon account without permission.
The lawsuit further alleged that CRHS failed to “exercise reasonable care in securing and safeguarding sensitive patient [personally identifying] information and/or [protected health] information – including first and last names, Social Security numbers, dates of birth, health insurance information, personal addresses, and sensitive patient medical treatment information.”
As part of the settlement, CRHS is not required to admit any wrongdoing.
Class action members can receive up to $5,000 for out-of-pocket expenses related to the breach, including unreimbursed fraud losses, professional fees, and credit expenses. Members can also receive a pro rata share of the settlement, which is estimated to be around $50 per claimant.
Individuals wishing to opt out must do so by March 3rd, and individuals wishing to file a claim must do so by April 2nd.
Why it matters
The incident showcases the financial costs associated with data breaches, even if the breaches were accidental or difficult to prevent. These lawsuits are designed to provide restitution to victims and serve as an example of what can happen to organizations that fail to protect private data.
For CRHS, the financial toll could be significant, but may encourage the health system to improve and prioritize security.
The big picture
Class action lawsuits are on the rise across the United States, but some believe these lawsuits are unfair. The Nebraska Senate recently introduced a bill aiming to limit class action suits regarding data breaches in the state. The bill argues that these suits clog courts and place an undue burden on organizations that already prioritize cybersecurity. While the bill has yet to be passed, if it does, it could lay the groundwork for other states to prevent these class action suits from moving forward.
Related: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
