Email hack costs Salinas Valley Memorial Health $340K in breach settlement

Salinas Valley Memorial Healthcare System in California has reached a $340,000 settlement with the 2,384 patients impacted by the hack of its email systems in mid-2020.

Under the settlement, patients who file a claim are eligible to receive a cash payment for all out-of-pocket expenses and lost time directly tied to the incident, as well as $25 an hour for up to four hours of lost time. Payments are capped at $750.

Filed in the Superior Court of California, Monterey County, the lawsuit stems from multiple security incidents against the SVMHS email system first reported in July 2020. However, the first account compromise was discovered three months earlier in April. The subsequent investigation would later find three employee and multiple contractor accounts were involved.

The attacker gained access through the SVMHS browser-based email platform, Microsoft Outlook Web Access. Patient data was only found in one of the accounts. Forensics suggested the threat actor only had access for a few hours before SVMHS disabled the account.

The account contained patient names, hospital account and medical record numbers, provider information, and other personal data. No Social Security numbers, driver’s licenses, or bank account details were found in the impacted accounts, nor did SVMHS did not find evidence the attacker viewed, retrieved, or copied the data.

Nonetheless, a patient filed a lawsuit against SVMHS, claiming the health system “acted unlawfully” when it failed to prevent the breach and failed its “legal duty” to adequately secure patient data.

SVMHS continues to deny the allegations and contends that it adhered to the applicable laws. The settlement is not an admission of guilt.

In addition to the monetary payout, the health system is also required to bolster its cybersecurity measures, as well as contract with an outside auditor for routine pen testing and scanning, firewall maintenance, and access controls.

A final hearing to approve the settlement is scheduled for Oct. 28. Given the small number of impacted patients and the cost of the settlement, the lawsuit should serve as a warning for healthcare providers to review their processes and compliance controls to prevent a similar, costly event.