Columbus Regional Healthcare has decided to pay $1,175,000 to settle litigation associated with a data breach in May 2023. The breach was discovered on May 21, 2023, and based on forensic investigation, hackers got access to areas of its system from May 19, 2023 to May 21, 2024, which included systems containing the personal data and protected health information (PHI) of 132,887 persons.
Columbus Regional Healthcare finished the file analysis on December 28, 2023, which confirmed the exposure of the following data: names, birth dates, addresses, Social Security numbers, passport numbers, driver’s license details, financial account data, medical backgrounds, and medical insurance data. The provider notified the impacted people concerning the data breach on January 2024 and offered those whose Social Security numbers were compromised free credit monitoring services.
Multiple lawsuits against Columbus Regional Healthcare were filed as a result of the data breach. The lawsuits were combined into one lawsuit, In Re: Columbus Regional Healthcare System filed in Columbus County, North Carolina. Later, the lawsuit was taken to the Business Court in Columbus County. The plaintiffs claimed Columbus Regional Healthcare was negligent because it did not implement acceptable and proper safety measures to safeguard the sensitive information kept in its system. The plaintiffs argued that if the healthcare provider had applied effective safety measures, there probably wouldn’t be any data breach or HIPAA violation lawsuits. The lawsuit additionally claimed negligence per se, breach of implied contract, breach of fiduciary duty, unjust enrichment, and intrusion upon seclusion/privacy violation.
Before the substantial motion procedure and official discovery, the parties decided to negotiate a settlement in order to lessen the costs and time of litigation. Columbus Regional Healthcare dismissed and refused all allegations due to the lawsuit and stood firm that there was no wrongdoing. The choice to resolve the lawsuit was made to avoid the risks, hesitation, and costs related to the ongoing litigation.
Based on the terms of the settlement, Columbus Regional Healthcare will create a $1,175,000 fund to pay for notification and administration expenditures, grants of lawyer’s fees, expenses, and service awards. Lawyer’s rates are usually 35% of the settlement fund. All class members could submit claims for around $5,000 for compensation of recorded, unreimbursed out-of-pocket costs undergone due to the data breach. Around $50 or pro rata cash fund payment will also be paid. The cash payments could be more or less depending on the number of claims filed. The court has given preliminary approval of the settlement. The schedule of the final approval hearing is April 9, 2025. Claims should be filed on or before April 2, 2025.