Judge Approves Nebraska Medicine Data Breach Lawsuit Settlement

A judge for the US District Court of Nebraska has approved a preliminary settlement in the data breach lawsuit filed against Nebraska Medicine in February 2021. However, most of the terms have been sealed to prevent undermining the agreed upon relief measures.

The lawsuit stems from a ransomware attack and subsequent data breach impacting approximately 219,000 patients reported by Nebraska Medicine in both September 2020 and February 2021, respectively.

Amid the ransomware wave against more than a dozen US healthcare providers in the fall of 2020, a cyberattack against Nebraska Medicine led to access issues with its computer systems, EHR, and patient portal at multiple care sites, including Great Plains Health and hospital branches in Hastings, Norfolk, and Beatrice.

The provider was forced to revert to EHR downtime procedures, with officials stressing that patient care was continuing with minimal disruptions. However, some non-urgent procedures were postponed, as clinicians could not access patient records.

Great Plains Health had previously faced a ransomware attack in 2019, and officials said the care team was using that experience to respond to the similar outages.

The outages were suspected to be caused by ransomware, but it was not confirmed until Nebraska Medicine released a breach notification that shed light on the attack details in February of this year.

The notice revealed that the hackers first gained access to Nebraska Medicine’s network in August 2020, a month before deploying the ransomware. The attackers exfiltrated some patient and employee data prior to installing malware.

The breached information included patients from Faith Regional Health Services, Great Plains Health, and Mary Lanning Healthcare, as the data was stored in the Nebraska Medicine/University of Nebraska Medical Center network.

In response, several patients swiftly filed a lawsuit against Nebraska Medicine “to obtain damages, restitution, and injunctive relief” through a class action filing.

The data varied by patient, but the lawsuit settlement shows 125,902 patients were mailed breach notices, and of those, 13,497 persons were told their Social Security and/or driver’s license numbers were potentially accessed during the hack.

“[Patients] suffered ascertainable losses in the form of loss of the value of their private and confidential information, loss of the benefit of their contractual bargain, out-of-pocket expenses and the value of their time reasonably incurred to remedy or mitigate the effects of the attack,” according to the suit.

The cyberattack and resulting losses occurred due to what the lawsuit claimed was “inadequate safeguarding” of protected health information and the reckless manner of which the data was maintained.

Specifically, the breach victims accused the health system of maintaining the data in a condition vulnerable to attacks, while the attack was a “known and foreseeable risk." Nebraska Medicine was also accused of failing to provide timely and adequate notice to breach victims.

While much of the agreement terms are sealed, the settlement requires Nebraska Health to implement improvements to its security policies, procedures, and tools.

Details into the security specifics will remain confidential, to prevent “significant harm as it would disclose the various measures Nebraska Medicine has implemented and has agreed to implement to protect the personal identifying information and private health information.”

Nebraska Medicine is also required to pay for all costs incurred by the breach victims’ lawsuit and settlement notices.

A final hearing of approval is scheduled for September 15, 2021, where the court will consider the fairness of the proposed settlement.

Healthcare data breach lawsuits are entirely common under the current threat landscape and frequent breach or attack notices. As previously reported, the results vary by court and are often settled out of court.

The definition of “actual harm” is the crux of the issue yet to be settled by a higher court. As such, there’s no clear path forward for many of these cases.

For example, a judge recently dismissed two claims made in a data breach lawsuit against Universal Health Services, as the victims failed to demonstrate actual harm. One claim was allowed to proceed as a patient experienced care delays and financial losses.