Eskenazi Health Settles $2.5M Data Breach Lawsuit

HIGHLIGHTS:

• Eskenazi Health agreed to settle a $2.5-million lawsuit over 2021 data breach
• The company denied any wrongdoing but agreed to the settlement to resolve the lawsuit
• Affected individuals may be eligible to receive at least $5,000 for any data breach-related lost, free credit monitoring, and identity theft protection.

Indianapolis-based Eskenazi Health has agreed to settle a $2.5 million class action for its failure to prevent a data breach incident that compromised the sensitive information of its patients and employees in 2021.

According to the company, hackers gained access to Eskenazi Health’s network on May 19, 2021, where sensitive information such as names, addresses, birth dates, Social Security numbers, health insurance information, medical record numbers, and driver’s license numbers have been compromised.

The company only announced the incident to the public in November 2021, or six months after the breach.

Eskenazi Health did not admit to any wrongdoing but agreed to pay to resolve the lawsuit.

$5,000 for data breach-related losses

If approved by the courts, class members may be eligible to receive $5,000 for out-of-pocket data-breach-related losses, including bank fees, communication charges, travel expenses, and credit-related costs, among others.

They may also be able to receive up to four hours of lost time at a rate of $20 per hour for a total of $80 in lost time payments.

Affected individuals may also be eligible for pro rata payments from the settlement fund, depending on the number of claims filed with the settlement.

According to a report, no payment estimates are available at this time.

Class members can receive both reimbursement and pro rata payments from the settlement.

In addition to monetary benefits, the company would also provide three years of credit monitoring and identity theft protection services, including $1 million in identity theft insurance.

Class members have until January 27 this year to file a claim. They must submit a valid claim form to qualify.

Anna Jaques Hospital breach

Healthcare companies seem to have been the primary target of ransomware attacks over the past few years.

In 2023, another hospital operator, Anna Jacques Hospital which is based in Newburyport, Massachusetts, was similarly hit by a data breach incident that affected customers’ sensitive information including names, demographics, medical information, health insurance, Social Security numbers, driver’s license numbers, and financial information

The breach was discovered in December last year, prompting the hospital to temporarily divert patients from its emergency rooms after its health record system was shut down.

Initially, the hospital informed the public about the breach last January 23, following an online post by hack group Money Message which listed the hospital among the victims and claimed to have stolen 600 gigabytes of data.

However, on January 19, 2024, the attackers publicly demanded ransom, threatening to release stolen patient data unless their demands were met.