Proposed Settlement in Nebraska Medicine Data Breach LawsuitComplaint Alleged Multiple Security 'Failures' Leading to 2020 Cyberattack
A federal court has approved a proposed settlement in a class action lawsuit filed in February against Nebraska Medicine in the wake of a 2020 malware attack and exfiltration of sensitive personal data and medical records of tens of thousands of individuals.
Under the proposed settlement, all class members who submit a valid claim by a yet unspecified deadline are eligible for up to $300 cash reimbursements for time and expenses incurred dealing with the breach, up to $3,000 for documented "extraordinary monetary losses" that "more than likely" was caused by the incident, and an extra year of credit monitoring, according to court documents.
Omaha-based Nebraska Medicine - a clinical partner of the University of Nebraska Medical Center - reported the hacking incident to the Department of Health and Human Services in February 2020 as a HIPAA breach affecting nearly 216,500 individuals.
But the settlement provides benefits to only about 126,000 individuals who were mailed notifications about the data breach, including nearly 13,500 who were notified that their Social Security number and/or driver’s license number may have been accessed in the incident, court documents note.
In addition to the benefits to eligible class members, the settlement calls for Nebraska Medicine to take a series of measures to bolster its data security practices.
Those include that Nebraska Medicine:
- Implement and enhance password, user-identity, email and user-browsing protocols;
- Enhance and limit remote access capabilities;
- Update and strengthen network security and system security measures, such as endpoint, vulnerability and firewall measures.
The settlement also calls for Nebraska Medicine to implement, update and enhance its security operations center and conduct periodic enhanced risk assessments.
The class action lawsuit against Nebraska Medicine was filed on Feb. 24 in a Nebraska U.S. district court by two patients - John Chacon and Leonard Bradley.
Among other claims, they allege that a series of Nebraska Medicine security failures led to attackers in late 2020 stealing patient data.
Affected information includes names, addresses, dates of birth, health insurance information, medical record numbers, and/or clinical information and Social Security numbers, putting individuals at "an imminent, immediate, and continuing increased risk of harm from fraud and identity theft," the lawsuit alleges.
Court documents contend Nebraska of Medicine failed to maintain "an adequate data security system to reduce the risk of data breaches and cyberattacks," including failing to:
- Adequately protect patients’ private information;
- Properly monitor its data security systems for existing intrusions, brute-force attempts and clearing of event logs;
- Apply all available security updates and install the latest software patches, update its firewalls, check user account privileges, or ensure proper security practices;
- Practice the principle of least-privilege and maintain "credential hygiene";
- Avoid the use of domainwide, admin-level service accounts;
- Employ or enforce the use of "strong randomized, just-in-time local administrator passwords."
The proposed settlement from the lawsuit "is consistent with other recent negotiated resolutions," notes privacy attorney David Holtzman of the consulting firm HITprivacy LLC, who was not involved in the lawsuit.
Data Breach Details
The class action complaint alleges that between Aug. 27, 2020 and Sept. 20, 2020, Nebraska Medicine experienced a targeted cybersecurity incident "where cyberthieves had unauthorized access to [the entity's] network for approximately 24 days."
The complaint alleges that Nebraska Medicine did not discover that unauthorized persons had gained access to its computer systems for over three weeks.
"The cyberthieves infected Defendant’s IT systems with malicious software and acquired copies of patient and employee information held on Defendant’s systems," the court documents allege.
The data that was exposed included information for patients who were treated at Nebraska Medicine/University of Nebraska Medical Center and three other healthcare organizations - Faith Regional Health Services, Great Plains Health and Mary Lanning Healthcare - whose information was in the Nebraska Medicine network that was compromised, the lawsuit alleges.
"After exfiltrating patient data … cyberthieves launched a ransomware attack using the malware with which the thieves had infected Nebraska Medicine's systems," the lawsuit alleges.
The incident caused disruption to Nebraska Medicine's operations, requiring the entity to initiate its "incident response protocols to minimize any disruption to patients, to isolate potentially impacted devices, and to shut off select systems as a precaution,'" the complaint says, referring to Nebraska Medicine's own September 2020 breach notification statement about the incident.
Nebraska Medicine's breach notification statement, however, does not specifically identify the incident as a ransomware attack.
The organization declined Information Security Media Group's request for additional details about the incident and comment on the settlement.
Provisions in data incident-related class action settlements calling upon breached entities to improve their security posture appear to be an increasingly common practice in recent years, some experts note.
For instance, a multimillion-dollar 2019 settlement in consolidated class action lawsuits filed against Banner Health in the wake of a 2016 breach affecting at least 2.9 million individuals called for the Phoenix-based health delivery network to implement a number of security improvements in addition to reimbursing affected individuals for expenses related to the incident.
"The costs for these security improvements can be substantial, adding to the overall value of the settlement amount," Holtzman says.