In September 2020, Nebraska Medicine and the University of Nebraska Medical Center found out that their systems were hacked and downloaded with malware allowing the hackers access to the protected health information (PHI) of approximately 219,000 people. The attack compelled Nebraska Medicine to de-activate its systems resulting in disruption to operations.
Hackers initially acquired access to Nebraska Medicine’s systems on Aug 27, 2020 and for 24 days accessed its systems and patient data. Nebraska Medicine terminated access on Sept. 20, 2020. During that period, the lawsuit alleged the attackers exfiltrated patient information. The breach affected patients of Nebraska Medicine, Great Plains Health, Faith Regional Health Services, and Mary Lanning Healthcare.
On February 24, 2021, two patients filed a class-action lawsuit in the Nebraska U.S. District Court against Nebraska Medicine alleging that Nebraska Medicine was negligent for failing to retain a sufficient data security program to decrease the risk of cyberattacks and data breaches. The plaintiffs wanted damages, restitution, as well as injunctive relief.
The lawsuit claimed cyber hygiene best practices hadn’t been adopted and several security failures had led to the breach. The plaintiffs alleged Nebraska Medicine did not perform security updates or applied patches for known vulnerabilities quickly, user account privileges had not been inspected, the principle of least privilege was not observed, domain-wide, admin-level service accounts were being used, and password policies were not enforced or followed. The lawsuit additionally claimed Nebraska Medicine wasn’t effectively tracking its systems for attacks, therefore it took more than 3 weeks to discover the intrusion.
Due to those issues, patient data was not sufficiently protected and the hackers were able to grab a variety of sensitive information such as patients’ names, contact details, Social Security numbers, health insurance data, medical record numbers, and clinical details, which put them at a higher risk of identity theft and fraud.
Nebraska Medicine made a decision to resolve the case and the proposed settlement recently got preliminary approval by a Nebraska District Court judge.
Based on the conditions of the settlement, all class members shall be qualified to get $300 in cash reimbursements for the time and expenditures they sustained while addressing the data breach. Additionally, class members may be paid around $3,000 to take care of documented “extraordinary monetary losses” most likely due to the data breach. Nebraska Medicine had actually offered the impacted person access to complimentary credit monitoring services, with the negotiation giving coverage for another 12 months.
Although the breach report was submitted with the Department of Health and Human Services’ Office for Civil Rights as affecting approximately 219,000 people, the settlement covers 125,902 patients who were given breach notification letters, including 13,497 individuals whose Social Security number and/or driver’s license number was breached.
Nebraska Medicine has additionally agreed to implement a number of steps to enhance security, which includes boosting its user-identity, email, and password practices, restricting its remote system access and improving security for remote access, and conditioning its network security steps, which include updating endpoint security, firewalls, and enhancing vulnerability management procedures. Nebraska Medicine will likewise go through more regular and enhanced risk evaluations and will update and improve its security operations center. Nebraska Medicine will additionally pay all legal fees due to the lawsuit and settlement notices.
The last hearing of acceptance has been planned for September 15, 2021.