LifeBridge Health Settles Healthcare Data Breach Lawsuit for $9.5M

Baltimore-based LifeBridge Health suffered a healthcare data breach that spanned 18 months beginning in 2016 and impacted 530,000 individuals.

Baltimore-based health system LifeBridge Health agreed to pay $9.5 million to settle a healthcare data breach lawsuit. The lawsuit stemmed from a breach initially disclosed in May 2018.

In May 2018, LifeBridge Health detected malware on the server that hosts electronic medical records of Potomac Physicians, one of its physician practices, and the shared registration and billing system for some other LifeBridge Health providers.

Once LifeBridge found the breach and launched an investigation, it discovered that the breach had continued for 18 months after it began in September 2016.

The potentially exposed information may have included patients' names, addresses, dates of birth, diagnoses, medications, clinical and treatment information, insurance information, and, in some instances, Social Security numbers.

The resulting class-action lawsuit also noted that LifeBridge suffered another breach sometime between December 2019 and April 2020, compromising the personal information of patients who made payments to Sinai Hospital.

Impacted patients said that their personal information was compromised, which allegedly led to declined transactions, inability to access email accounts, fraudulent COVID-19 disaster business loans, and fraudulent submissions for unemployment in other states.

“Plaintiffs and Class Members now face an increased risk of identity theft and fraud, if not actual identity theft and resulting losses, and need to take immediate action to protect themselves from such identity theft,” the complaint stated.

“Plaintiffs and Class Members are immediately and imminently in danger of sustaining further direct or indirect injuries as a result of LifeBridge’s failure to protect their Personal Information. The Personal Information obtained by the hackers contains all of the information wrongdoers need to misuse Plaintiffs’ and Class Members’ identities to their detriment.”

The settlement is not an admission of wrongdoing. The settlement agreement consists of $800,000 in payments to class members, including up to $250 per person for unreimbursed losses and $5,000 per class member for proven monetary loss traced to the incident.

Class members who were impacted by the breaches disclosed in both 2018 and 2020 are eligible to submit multiple claims.

LifeBridge also agreed to pay $775,000 in fees and put $7.9 million toward security improvements such as encryption and network monitoring.

Next Steps

Dig Deeper on Cybersecurity strategies