A proposed $7.5 million settlement of a class action lawsuit filed against ULCA Health in the wake of a 2015 cyberattack that affected 4.5 million individuals stands apart from most other breach-related settlements because it requires the organization to spend a substantial sum on improving its security, says attorney Steven Teppler.
Under terms of the settlement, UCLA Health has agreed to spend at least $5.5 million beyond its current budget to expedite and implement cybersecurity enhancements to its computer network.
In addition, a $2 million fund will be used to reimburse settlement class members who incurred costs seeking to protect against, or remedy, identity theft.
All settlement class members are also entitled to two years of free credit monitoring and identity protection services, even if they previously obtained the one-year credit monitoring package offered by UCLA Health in 2015, according to the proposed settlement agreement, which awaits final court approval.
The class action lawsuit was filed against UCLA Health in 2015 soon after the organization revealed that protected health information of millions of individuals was potentially exposed when hackers in late 2014 breached its network (see: UCLA Health Faces Lawsuit – Already).
“What stands out most to me about this settlement is the amount of funds that are guaranteed to be spent on improving network security architecture,” Teppler, an attorney who specializes in technology issues and electronic discovery and who was not involved in the case, says in an interview with Information Security Media Group.
“I think it’s a good thing, and a necessary thing, and it’s an enforceable provision in the settlement agreement,” he says. The provision also is subject to supervision, and funds need to be expended within a certain timeframe, he adds.
Many details about the steps UCLA Health must take to improve its cybersecurity under the settlement are redacted in a settlement exhibit document labeled “highly confidential” on the website of the claims administrator handling the case.
The cyberattack on UCLA Health that triggered the lawsuit affected 4.5 million individuals.
But the settlement exhibit notes that UCLA Health is required to replace or upgrade its existing network infrastructure; implement a variety of new security hardware and software, including tools to help automate and reduce manual security reviews of systems; and retain three full-time consultants for two years to assist in implementing the additional security features.
Under the settlement terms, Teppler says, “there are obligations that are not mere vaporous promises to do something in the future.”
In the interview (see audio link below photo), Teppler also discusses:
- How the UCLA Health settlement compares with a $115 million settlement last year in a consolidated class action lawsuit against health insurer Anthem over a 2014 cyberattack that impacted nearly 79 million individuals;
- Key security lessons emerging from the UCLA Health settlement;
- His analysis of other provisions in the UCLA Health data breach settlement agreement.
Teppler leads the electronic discovery and technology-based litigation practice at the law firm Mandelbaum Salsburg P.C. He’s the co-chair of the American Bar Association’s IoT Committee; a member of the Seventh Circuit Court of Appeals Electronic Discovery Pilot Program; a founder and co-chair of the American Bar Association’s IoT National Institute as well as the American Bar Association’s National Institute on Electronic Discovery and Information Governance; and a contributing author of the ANSI X9F4 trusted timestamp guideline standards for the financial industry.