Atlantic General reaches $2.25M data breach settlement

Maryland-based Atlantic General Hospital reached a $2.25 million data breach settlement over a January 2023 hack and subsequent data breach that affected 30,000 individuals.

AGH, which serves patients in Maryland, Virginia and Delaware, suffered a ransomware attack that led to network outages and potentially compromised patient data. The data involved in the breach included names, Social Security numbers, financial account information, medical record numbers, treating physicians, and health insurance information.

Following the breach, affected patients filed a class action lawsuit alleging that AGH had failed to invest in data security, causing what the plaintiffs saw as an "eminently avoidable cyberattack."

"It is clear that AGH failed to take sufficient and reasonable measures to safeguard its data security systems and protect highly sensitive data in order to prevent the Data Breach from occurring; to disclose to its patients, and the public at large, that it lacked appropriate data systems and security practices to secure Private Information; and to timely detect and provide adequate notice of the Data Breach to affected individuals," the consolidated complaint stated.

The plaintiffs argued that they had suffered immediate danger of identity theft and misuse of their private information, especially because the breach occurred due to the actions of malicious actors.

In addition to imminent danger, the plaintiffs alleged that they suffered injuries as a result of AGH's conduct, including diminished value of their private information, out-of-pocket expenses and lost time.

AGH did not admit any wrongdoing but agreed to the terms of the settlement since further litigation would be costly. The $2.25 million settlement fund includes attorneys' fees and allows claimants to receive funds for documented losses up to $5,000.

In addition to a settlement claim, class members can also make a claim for three years of credit monitoring and insurance services.

As previously reported, healthcare data breaches often result in class action lawsuits. However, establishing standing in court can be challenging, and the involved parties often reach settlements to avoid protracted litigation.

As the legal landscape continues to evolve, healthcare organizations can reduce risk by maintaining contact with trusted vendors and working with cyber insurance providers.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.