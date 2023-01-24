ATTLEBORO — Sturdy Memorial Hospital has settled a lawsuit stemming from a ransomware attack in February 2021, according to a published report.
Sturdy has agreed to settle the class action lawsuit filed by patients whose health information was stolen in the cyberattack, the HIPAA Journal reported.
The attack gained access to the data of about 60,000 patients, the publication said.
Some of the information stolen included names, contact information, dates of birth, Social Security numbers, Medicare Health Insurance claim numbers, driver’s license numbers and medical history, The Sun Chronicle reported in 2021.
The attackers threatened to release the information publicly.
Sturdy paid an undisclosed ransom to the hackers to get its information back and offered all those affected two years of free credit monitoring.
The lawsuit, Shedd, et al. v. Sturdy Memorial Hospital Inc., contended while a ransom was paid, payment doesn’t guarantee personal information will be protected.
The suit charged the hospital had maintained patient information in a reckless manner because the information was stored on a system vulnerable to cyberattacks and the data was not encrypted.
The lawsuit alleged the hospital did not follow Federal Trade Commission guidelines and violated Massachusetts laws by delaying sending notification letters to patients for nearly four months.
Sturdy admitted no wrongdoing and chose to settle the lawsuit to avoid ongoing legal costs, the HIPAA Journal said.
Sturdy didn’t immediately respond to a request from The Sun Chronicle for comment late Tuesday.
The suit was filed in September 2021 in Plymouth Superior Court by attorneys for Barbara Ragan Bennett, a resident of Plymouth County, and on behalf of “all others similarly situated.”
It was estimated at that time there were 35,271 others affected by the hack, which took place Feb. 9, 2021.
The suit sought an unspecified amount of damages including extended credit monitoring, “actual damages, compensatory damages, statutory damages and statutory penalties, punitive damages and attorneys’ fees and costs.”
Court documents said damages exceeded $50,000.
Under the terms of the settlement, class action suit members can claim up to $375 for ordinary losses, including out-of-pocket expenses and up to three hours of lost time at $20 per hour.
Claims can also be submitted for documented extraordinary losses incurred between Feb. 9 and Feb. 14, 2021, up to a maximum of $5,000.
The settlement also includes free credit monitoring services for class members.
Members had until Jan. 14 to exclude themselves from or object to the settlement.
Claims must be submitted by Feb. 14.
A “fairness hearing” is scheduled for Feb. 16.
Sturdy is one of two healthcare organizations in Massachusetts that have chosen to settle class action lawsuits that were filed by patients whose protected health information was stolen in cyberattacks
North Shore Pain Management, which operates clinics in Beverley and Woburn, and its vendor, Revolve I.T. Inc, have settled a lawsuit filed in response to an April 2020 ransomware attack, the HIPAA Journal reported.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.