Why Hospitals Are Ponying Up Big Cash To Victimized Patients
A recent malware-based cyberattack on Community Health Systems, which operates Trinity Medical Center in Birmingham and 10 other facilities statewide, has allowed hackers to access the private data of over 4.5 million customers.
Although Trinity spokeswoman, Leisha Harris, says,”Trinity Medical Center and its affiliated clinics were not affected by the data breach reported this morning by Community Health Systems,” director of marketing and public relations for Crestwood Medical Center, Lori Light, confirms social security numbers and health plan policy accounts were stolen.
“Limited personal identification data belonging to some patients who were seen at some Crestwood employed physician practices and clinics affiliated with Crestwood over the past five years was transferred out of the CHS system in a criminal cyber attack by a foreign-based intruder,” Light said in a statement. CNN reports the breach includes 206 hospitals in 29 states.
“The attacker was able to bypass the company’s security measures and successfully copy and transfer certain data outside the company,” the filing stated. “The company has been informed by federal authorities and Mandiant that this intruder has typically sought valuable intellectual property, such as medical device and equipment development data. However, in this instance, the data transferred was non-medical patient identification data related to the Company’s physician practice operations.”
Such data breaches are not only scary—they can be expensive and damaging events for any company. Here’s exactly how the security headache unfolds.
1. The actual damage caused by the data breach:
a. Lost of proprietary corporate information
b. Cost of research and development which produced the stolen data
c. The lost value of a company’s name and damaged reputation
d. Manpower costs needed to rebuild the broken system, reproduce the stolen data, and/or fix the vulnerability that enabled the data breach to happen
2. Damage to be paid to the victims, usually the owners of the data that was stolen/breached.
Flowers hospital of Alabama had to pay at least $150,000 in overall damages to affected patients, each of whom received $5,000 for the loss of their data to malicious third-parties, making the total payout $6 million. “The total amount of relief that can be awarded to anyone settlement class member is $5,000. If the total amount of claims submitted exceeds $150,000, then the claims will be reduced pro rata as to all claims. So, the total amount paid by Flowers does not exceed $150,000,” specifically mentioned by the settlement. The fine was brokered by Flowers hospital in order to settle a 2014 class-action lawsuit.
The perpetrator of the data breach was Kamarian Millender, who back in 2014 was Flower Hospital’s lab technician. He deliberately stole the hospital’s patients record from June 2013 to February 2014 which were described as, “unguarded, unprotected, and/or otherwise subject to theft by Flowers employees and other third parties who otherwise had no reason to be in possession of such information.” The culprit was caught and confessed to the destructive cybercrime. The stolen information severely affected 1,200 specific patients, whose names have been kept anonymous. Flower hospital made a public announcement of the data breach on April 15, 2014.
The coverage of the fine includes credit monitoring expenses, four hours of lost wages dealing with the breach and refund due to tax refund fraud. The lawsuit was escalated to a class-action status in March 2017, for the violation of the Fair Credit Reporting Act. Patients that had their data stolen are in a huge risk of identity theft as a result. As per the settlement, the hospital agreed to pay the damages, as long as the affected patients file their claims on or before December 13, 2018.
The decision will depend on the federal judge, if he agrees with the settlement, Flower hospital will be released from any criminal penalties at the expense of paying damages to the victims. Completion of the out-of-court settlement will finalize the motion to dismiss that Flower hospital filed with the court. “Any motion to dismiss filed in response to plaintiffs’ amended complaint, and any response in opposition thereto, shall fully set forth any arguments in support of or in opposition to such motion, and shall not simply renew or incorporate arguments made in previous motions and responses thereto,” said the federal judge.
Kevin Jones951 Posts
Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others.