Getty Images

$350K Proposed Settlement Reached in Saint Francis Data Breach Lawsuit

Saint Francis Healthcare, which owns Ferguson Medical Group (FMG), reached a $350,000 lawsuit settlement with the 107,000 patients affected by a 2019 ransomware attack on FMG.

Missouri-based Saint Francis Healthcare System has reached a proposed $350,000 lawsuit settlement with the patients impacted by a ransomware attack on Ferguson Medical Group (FMG). Saint Francis acquired FMG after the cyberattack and subsequent healthcare data breach. 

In September 2019, the FMG computer network was infected with ransomware, rendering all data inaccessible, including all medical records. The health system took steps to secure the network, while working with law enforcement. 

FMG did not pay the ransom, but restored access to the impacted systems using available backups. However, the IT team was unable to restore access to some of the encrypted files. As a result, the health system permanently lost all records for services provided by FMG between September 20, 2018 and December 31, 2018, including documentation scanned into the data system. 

All 107,000 patients impacted by the incident were provided with free credit monitoring services. 

In January 2020, nearly 90,000 breach victims filed a lawsuit against Saint Francis in the US District Court of Eastern Missouri, making several allegations, including negligence per se, invasion of privacy, breach of express and implied contracts, and violation of the Missouri Merchandise Practices Act. 

Patients sought monetary compensation for costs associated with the breach, including attorneys’ fees, as well as a requirement that Saint Francis implemented improved data security safeguards. 

Saint Francis sought to have the case dismissed in March 2020, arguing that the breach victims failed to provide plausible cause for relief. The parties agreed to instead mediate their claims out of court. 

Under the settlement agreement, all breach victims will receive up to $280 to reimburse out-of-pocket expenses related to the breach, for time spent dealing with the security incident, additional credit monitoring and identity theft restoration services, and further equitable relief. 

“Saint Francis committed to carrying out specific data security enhancements to its own systems designed to ensure [patients]’ personal identifying information and private health information is better protected in the future,” according to the lawsuit. 

Further, the health system has committed to reviewing its firewall rules to remove those not used and update its firewall to automatically apply the latest software updates and patches. Saint Francis will also limit the ability of legacy systems to remotely access its network. 

The health system will also implement a vulnerability management program to scan the network for any vulnerabilities and remove the Remote Desktop Protocol (RDP) from its vendor access solution, while assessing and further implementing multi-factor authentication across it VPN access points. 

Lastly, Saint Francis committed to the development and implementation of its password management policies to improve complexity and expiration requirements, along with a review and improvement of its cybersecurity training and the implementation of geo-blocking for traffic directed to certain outbound IP addresses. 

The settlement was fagreed upon by all parties in July 2020, and “guarantees class members the opportunity for real relief for harms and assurance that they are less likely to be subject to similar breaches due to Saint Francis’ data security systems in the future.” 

“Plaintiffs dispute the merits of Saint Francis’ motion to dismiss, and the defenses Saint Francis will likely assert—but it is obvious that their success at trial is far from certain,” according to the lawsuit. “Through the settlement, plaintiffs and class members gain significant benefits without having to face further risk of not receiving any relief at all.” 

The settlement conference is scheduled for Tuesday, November 17 with District Judge Stephen R. Clark of the District Court of Eastern Missouri. 

It’s increasingly common for patients to file lawsuits against providers in the wake of a data breach, but the cases have mixed results given the difficulty in proving actual harm caused by these security events. For some cases, a judge will opt to dismiss, while the majority are settled out of court. 

Recent examples from Episcopal Health Services, UnityPoint Health, and Grays Harbor Community Hospital, highlight the added risks healthcare entities face after experiencing a massive security incident.

Next Steps

Dig Deeper on HIPAA compliance and regulation