Healthcare,
Industry Specific,
Legislation & Litigation
Cyberattack on Health System Compromises Data of Over 235,000 Individuals
A New York state court has granted preliminary approval for a $1.5 million settlement related to a class-action lawsuit against One Brooklyn Health System. This legal action arose following a cyberattack in November 2022, which exposed sensitive health information of over 235,000 individuals, affecting patients, employees, and their families.
The incident involved multiple One Brooklyn facilities, including the Brookdale Hospital Medical Center, Interfaith Medical Center, and Kingsbrook Jewish Medical Center, alongside various nursing homes and health clinics. Legal representations accused One Brooklyn of negligence regarding the safeguarding of personally identifiable information (PII) and protected health information (PHI), thus increasing the risk of identity theft and fraud.
Furthermore, the lawsuit asserted violations of New York state consumer protection laws, as the organization allegedly failed to promptly notify affected individuals about the breach. One Brooklyn has unequivocally denied these allegations.
The proposed settlement allows eligible class members to claim up to $2,500 for documented out-of-pocket expenses and time spent addressing the breach’s ramifications, capped at four hours at $25 per hour. Additionally, claimants are entitled to two years of credit monitoring from all three major credit bureaus.
An alternative cash payment option will also be available, determined after deducting claims and expenses from the settlement fund. In addition to these compensations, the agreement includes $1,000 service awards to the eight plaintiffs involved. Legal representatives for the plaintiffs are seeking up to one-third of the settlement fund, estimated at $500,000, alongside reimbursement for litigation-related expenses.
Moreover, the settlement mandates that One Brooklyn enhance its data security measures, funding these enhancements separately from the settlement fund. The specific improvements to data security are not detailed in court documents.
A final approval hearing for the settlement is scheduled for February 26, 2025, in the Kings County Supreme Court of New York.
Breach Overview
The class-action lawsuit centers on a breach detected as suspicious activity on One Brooklyn’s network in November 2022, which disrupted access to various IT systems, including electronic health records and patient portals, for more than a month. According to a breach notification released by One Brooklyn in 2023, the investigation revealed that a limited amount of data was accessed between July 9, 2022, and November 19, 2022.
Cybercriminals managed to gain unauthorized access and exfiltrate PII from more than 235,000 individuals, revealing names, Social Security numbers, driver’s license numbers, dates of birth, financial details, medical histories, and health insurance information.
While One Brooklyn has not disclosed whether ransomware was implicated in this incident, the report to the U.S. Department of Health and Human Services characterized it as a hacking incident involving 500 individuals, which appears to be a placeholder estimate; further reports indicated it affected 235,251 people.
Despite requests for comment, One Brooklyn’s legal representatives did not respond immediately. Benjamin Johns of Shub & Johns LLC, representing the plaintiffs, expressed satisfaction with the court’s preliminary approval of the settlement and anticipated presenting it for final approval.