Conway Regional Medical Center Reaches $295K Settlement Over Healthcare Data Breach

Conway Regional Medical Center in Arkansas agreed to pay $295,000 to settle a lawsuit stemming from a 2019 healthcare data breach. In June 2019, Conway fell victim to a phishing scheme resulting in the potential exposure of personal information, including names, Social Security numbers, addresses, health insurance information, and medical information.

The plaintiff alleged that Conway “failed to adequately safeguard its patients’ electronically stored personally identifiable information and protected health information.”

Specifically, the plaintiff alleged that Conway was negligent, invaded the privacy of its customers, and violated the Arkansas Deceptive Trade Practices Act.

“Conway maintains that it has meritorious defenses, and it was prepared to vigorously defend the lawsuit,” the settlement notice stated.

“The settlement is not an admission of wrongdoing or an indication that Conway has violated any laws, but rather the resolution of disputed claims.”

Individuals who were impacted by the breach can submit claims for up to $850 if the settlement receives final approval. In addition, class members may be eligible for two years of identity protection services and up to $40 for lost time dealing with the aftermath of the breach.

“Conway has implemented improvements to improve its cybersecurity since the Incident and shall continue in its efforts to improve its cybersecurity,” the notice stated.

Those efforts include phishing training with the help of a third-party vendor, maintenance of secure mailboxes, HIPAA minimum necessary training, and the implementation of a managed detection and response security system.

In addition, Conway said it has implemented training on what types of data constitute personal health information, multifactor authentication, deployment of a secure password storage platform, and additional upgrades to enhance security controls.