In September 2020, The University Of Nebraska Medical Center And Nebraska Medicine learned that their systems were attacked and infected with malware giving the hackers access to the protected health information (PHI) of around 219,000 persons. The attack pushed Nebraska Medicine to turn off its systems interrupting operations.
The attackers primarily obtained access to Nebraska Medicine’s networks on Aug 27, 2020 and for 24 days viewed its systems and patient data. Nebraska Medicine blocked access on Sept. 20, 2020. During that time frame, the lawsuit alleged the hackers exfiltrated patient information. The breach affected patients of Nebraska Medicine, Great Plains Health, Mary Lanning Healthcare, and Faith Regional Health Services.
On February 24, 2021, two patients submitted a class-action lawsuit in the Nebraska U.S. District Court versus Nebraska Medicine claiming that Nebraska Medicine was at fault for not maintaining an appropriate data security procedure to lower the risk of attacks and security breaches. The plaintiffs desired damages, compensation, and also injunctive relief.
The lawsuit claimed cyber hygiene guidelines were not observed and a number of security failures resulted in the breach. The plaintiffs alleged Nebraska Medicine hadn’t conducted security upgrades or used patches for identified vulnerabilities immediately, end-user account privileges hadn’t been reviewed, the principle of least privilege wasn’t put into practice, domain-wide, administrator-level service accounts were utilized, and password guidelines hadn’t been carried out or observed. The lawsuit furthermore claimed Nebraska Medicine was not appropriately keeping track of its systems for infiltrations, consequently, it took over 3 weeks to identify the intrusion.
Because of those problems, patient data wasn’t efficiently secured and the attackers were able to gain access to a selection of sensitive information such as patients’ names, contact data, Social Security numbers, medical insurance details, medical record numbers, and clinical data, which set them at an increased risk of identity theft and fraud.
Nebraska Medicine opted to negotiate the legal action and the offered settlement lately obtained initial approval by a Nebraska District Court judge.
According to the provisions of the settlement, all class members would be eligible to receive $300 in cash repayments for the time and costs they accrued while managing the data breach. Furthermore, class members could claim around $3,000 to cover recorded “extraordinary monetary losses” almost certainly caused by the data breach. Nebraska Medicine had by now offered impacted people access to free credit monitoring services, with the settlement deal providing coverage for an additional one year.
Though the breach report was filed with the Department of Health and Human Services’ Office for Civil Rights as impacting approximately 219,000 persons, the settlement pays 125,902 patients who were sent breach notification letters, including 13,497 persons whose Driver’s License Number And/or Social Security Number was exposed.
Nebraska Medicine has likewise decided to carry out a few steps to strengthen security, which includes improving its user-identity, email, and password standards, limiting its remote system access and bettering safety for remote access, and fortifying its network security actions, which include upgrading endpoint security, firewalls, and bettering vulnerability management strategies. Nebraska Medicine will additionally undertake more recurrent and upgraded risk examination and will update and boost its security operations facility. Nebraska Medicine will likewise pay for all legal expenses as a result of the legal action and settlement updates.
One last hearing of acceptance has been slated for September 15, 2021.