web analytics

One Brooklyn Agrees to $1.5M Settlement in 2022 Hack Lawsuit – Source: www.govinfosecurity.com

Rate this post

Source: www.govinfosecurity.com – Author:

Healthcare , Industry Specific , Legislation & Litigation

Health System’s Cyberattack Affected More Than 235,000 Patients, Employees, Others Marianne Kolbasuk McGee (HealthInfoSec) • November 15, 2024    

One Brooklyn Agrees to $1.5M Settlement in 2022 Hack Lawsuit

A New York state court has approved a preliminary $1.5 million settlement of a consolidated amended proposed class action lawsuit against One Brooklyn Health System following a November 2022 cyberattack that compromised sensitive health data of more than 235,000 people.

See Also: The Healthcare CISO’s Guide to Medical IoT Security

The incident affected three One Brooklyn hospital campuses in Brooklyn, New York – Brookdale Hospital Medical Center, Interfaith Medical Center, and Kingsbrook Jewish Medical Center – as well as several nursing homes and health clinics (see: One Brooklyn Not Over November Cyber Incident).

Among its claims, the litigation accused One Brooklyn of negligence in failing to reasonably protect, secure or store plaintiffs’ and class member’s personally identifiable information and protected health information, putting the individuals are risk for identity theft and fraud crimes.

The lawsuit also alleges that One Brooklyn violated New York state consumer protection laws and failed to provide affected individuals with timely notification about the breach.

One Brooklyn denies all the allegations.

Under the proposed settlement, eligible class members can submit claims of up to $2,500 each for actual out-of-pocket losses and attested time spent – up to four hours at $25 per hour – dealing with the aftermath of the data breach.

Settlement class members also will be entitled to claim two years of three-bureau credit monitoring.

As an option to seeking a documented loss payment and credit monitoring, class members may submit a claim to receive a flat-fee alternative cash payment. The amount of that cash payment will be determined after the other claims and expense are deducted from the settlement fund.

The settlement also proposes $1,000 service awards each for the eight plaintiffs. Court documents also indicate that the plaintiffs’ attorneys are seeking up to one-third of the settlement fund, or $500,000, plus reimbursement of incurred litigation expenses up to $50,000.

In addition, the settlement calls for One Brooklyn to enhance its data security practices. One Brooklyn must pay for those improvements separate from the settlement fund. The security measures One Brooklyn has agreed to implement are not specified in court documents.

The Supreme Court of New York State, Kings County has scheduled a final approval hearing for the settlement on Feb. 26, 2025.

Breach Details

At the center of the consolidated proposed class action lawsuit was a cyberattack first detected by One Brooklyn as suspicious activity on its network in November 2022. The incident disrupted access to the healthcare organization’s IT systems, including electronic health records and patient portals for more than a month.

One Brooklyn in a breach notice issued in 2023, said that its investigation determined that an unauthorized actor acquired “a limited amount” of its data from the entity’s IT systems during a period between July 9, 2022, and Nov. 19, 2022.

The investigation into the incident determined that the attack resulted in the unauthorized access and exfiltration by cybercriminals of personally identifiable information of more 235,000 individuals – including patients, employees as well as their spouses, dependents and beneficiaries (see: One Brooklyn Reports Breach, Faces Lawsuit Post Cyberattack).

Information affected in the incident included names, Social Security numbers, driver’s license or state identification numbers, dates of birth, financial account information, medical treatment information, prescription information, medical diagnosis or condition information, and health insurance information.

One Brooklyn has not publicly stated whether the incident involved ransomware (see: Brooklyn Hospitals Decried for Silence on Cyber Incident).

One Brooklyn reported the breach on Jan. 18, 2023, to the U.S. Department of Health and Human Services as a hacking incident involving a network server and affecting 500 individuals, an apparent placeholder estimate.

As of Friday, the HHS’ Office for Civil Rights’ HIPAA Breach Reporting Tool website still had the One Brooklyn incident listed as affecting only 500 people. A breach report One Brooklyn submitted to Maine’s state attorney general on April 20, 2023 said the incident affected 235,251 individuals.

Attorneys representing One Brooklyn in the data breach litigation did not immediately respond to Information Security Media Group’s request for comment.

“We are pleased with the court’s order granting preliminary approval to the settlement, and look forward to presenting it to the court for final approval,” said attorney Benjamin Johns of the law firm Shub & Johns LLC, which represented the plaintiffs, in a statement to ISMG. He did not immediately respond to ISMG’s request for further comment about the case.

Original Post URL: https://www.govinfosecurity.com/one-brooklyn-agrees-to-15m-settlement-in-2022-hack-lawsuit-a-26830

Category & Tags: –

Views: 0

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post