Atlantic General Hospital in Berlin, MD, has proposed a $2.24 million settlement to resolve a class action lawsuit associated with a ransomware attack in 2023. The settlement proposal was given preliminary approval by the court. The nonprofit hospital identified the ransomware attack on January 29, 2023 after noticing the encryption of files. The incident disrupted patient services for some days because hospital staff could not access patient data and IT systems. The threat actor accessed the hospital’s system between January 20 and January 29, 2023.
The preliminary results of the investigation revealed that about 30,400 people were impacted. The hospital sent notifications on March 24, 2024. However, the continuing investigation showed that more data was affected than earlier thought, so the total number of impacted people is now 136,981. The following data was exposed during the attack: names, birth dates, driver’s license numbers, Social Security numbers, medical insurance data, medical backgrounds, diagnosis and treatment data, and financial details. The impacted persons were provided free credit monitoring services for one year.
Atlantic General Hospital faced multiple lawsuits because of the attack, which were combined into one class action in the U.S. District Court for the District of Maryland. The plaintiffs of the modified lawsuit were Michael Rentschler, Heather Byam, Cathy Ehrisman, and Kathleen G. Appel, including a class of likewise situated persons whose sensitive information was exposed in the cyberattack.
The lawsuit claimed Atlantic General Hospital was negligent because of a negligent, reckless, deliberate, and or unconscionable inability to sufficiently meet its contractual, statutory, and common-law responsibilities related to the FTC guidelines, HIPAA laws, and industry-standard information protection practices. The lawsuit claimed that Atlantic General Hospital could have averted the data breach through the encryption of sensitive information on its system, and failed to identify the attack for over one week.
The lawsuit claimed a failure to send prompt notifications and to include necessary data in the notification letters, for instance, the duration the hackers accessed its system, and the complete extent of data affected by the breach. Only 12 months of credit monitoring services were provided to the plaintiff and class even when the danger of data misuse will possibly continue for the rest of their lives.
The combined lawsuit stated claims of negligence, bailment, unjust enrichment, breach of implied contract, and a violation of the Maryland Consumer Protection Act. The plaintiffs want a jury trial, legal costs, damages, injunctive relief, and attorneys’ fees. Atlantic General Health System submitted the settlement proposal to avoid continuing legal expenses and the uncertainty of trial; nevertheless, rejected all charges of liability and wrongdoing as well as all the claims and contentions contained in the lawsuit.
In the terms of settlement, a $2,250,000 fund will be set aside to pay for all claims, legal costs, and attorneys’ charges. The lawyers are eyeing for $750,000 or a third of the settlement. Class members may file a claim for as much as $5,000 for repayment of recorded losses, or can opt for a pro-rata cash payment after paying all expenses, fees, and claims. Class members could likewise claim credit monitoring and insurance services for 3 years.
The court has approved the proposed settlement and has scheduled the final fairness hearing on September 5, 2024. Claims may be filed until August 22, 2024. The legal representatives of the plaintiffs and the class were lawyers from Kramon & Graham; Millberg Coleman Bryson Phillips Grossman, and Cafferty Clobes Meriwether & Sprengel.
Photo credits: Atlantic General Hospital / yavdat, AdobeStock
