The California hospital has reached a settlement for a class action suit that stemmed from a 2023 data breach.
Back in 2023, Oak Valley Hospital notified 283,629 patients of a data breach that exposed their sensitive information.
The breach was detected in Oak Valley’s IT systems on July 18th, 2023. Through an investigation, the hospital determined that an unauthorized party had accessed its systems between April 21st, 2023 and July 18th, 2023. During this time, it’s believed that files containing billing and treatment information may have been viewed or stolen.
Accessed files contained names, health insurance information, Social Security numbers, and care-related information.
Following the breach, Oak Valley offered complimentary credit monitoring and identity theft protection services. The hospital also said, “To help prevent something like this from happening again, we strengthened the security of our systems and will continue enhancing our protocols to safeguard the information in your care.”
Since the breach, Oak Valley became the target of a class action lawsuit. The lawsuit alleged that “Oak Valley was responsible for the increased risk of identity theft” victims faced following the data breach. The plaintiffs further claimed that, because of the breach, Oak Valley was negligent, breached their implied contract, was in violation of the California Unfair Competition Law, and more.
Oak Valley and the class action members have now agreed to a settlement.
Under the settlement, class members who submit valid claims may be eligible for up to a $100 payment and may also receive reimbursement, up to $5,000, for documented out-of-pocket expenses that can be traced back to the breach. Lastly, class members may submit claims for lost time at $30 per hour.
The settlement also requires Oak Valley to enhance its cybersecurity practices to better safeguard personal and protected health information.
The settlement received preliminary approval earlier this month and has a final approval hearing scheduled for December 19th, 2024.
Cases like these show that breaches can have consequences beyond the impact felt by patients. It also shows that it can take over a year to resolve a lawsuit, even if it’s not going to trial. When a company is hit by a breach, they can expect significant time and money to go into resolving the issue, especially if it results in a class action lawsuit.
Class action lawsuits are generally the public’s way of holding organizations accountable, and while many healthcare companies have faced lawsuits, breaches continue to skyrocket. Organizations should ensure they have the highest levels of data security possible so that they never have to deal with the time-consuming process of settling a lawsuit.
Related: HIPAA Compliant Email: The Definitive Guide.