Healthcare,
Industry Specific,
Litigation
HCA Healthcare Reaches Multimillion-Dollar Settlement Following 2023 Data Breach
This week, a federal court in Tennessee approved a substantial settlement related to class action litigation against HCA Healthcare, following a data breach in 2023 where attackers accessed information from an external email storage system. This breach affected over 11 million individuals, raising significant concerns about data protection within the healthcare sector.
The class action was initiated after HCA disclosed the breach on July 10, 2023. While HCA has assured that no clinical or financial information was compromised, the leaked data included patient names, addresses, email addresses, phone numbers, genders, service dates, appointment locations, and future appointment details. The breach appears to align with the MITRE ATT&CK framework, specifically tactics associated with initial access and data exfiltration.
As part of the settlement terms, class counsel will receive $3.1 million in attorney’s fees, suggesting an estimated total settlement amount of around $9.3 million when factoring typical percentages for similar cases. The agreement allows affected individuals to claim up to $5,000 for documented losses associated with the incident, and it includes one year of complimentary credit and identity monitoring services.
Notably, the settlement does not provide an option for class members to receive a proportional cash payment, a departure from other recent settlements in the realm of healthcare data breaches. Regulatory legal expert Rachel Rose emphasized that claims must be substantiated by documented evidence of loss, indicating a rigorous approach to compensatory claims due to the nature of damages.
HCA has committed to implementing enhanced security measures as part of the settlement agreement, which are detailed in confidential court documents. These measures aim to prevent similar breaches in the future, highlighting the need for robust cybersecurity frameworks, particularly in a sector as sensitive as healthcare.
HCA operates a substantial network within the industry, managing 190 hospitals and about 2,400 outpatient care sites across the United States and the United Kingdom. While neither party involved in the litigation responded to inquiries about the specifics of the settlement, HCA expressed satisfaction in reaching a resolution to the lawsuits, which encompassed a total of 27 individual claims following the cyberattack.
The settlement illustrates ongoing challenges in safeguarding patient information in the face of evolving cyber threats. Plaintiffs in the case had alleged negligence on HCA’s part for not adequately protecting sensitive patient data—a reminder of the critical importance of cybersecurity measures in mitigating potential data breaches.
