– The UCLA Health System plans to invest $5.5 million into healthcare network security, automation, and other cybersecurity improvements as part of its settlement agreement resolving a class-action lawsuit filed in response to a 2015 data breach that affected 4.5 million patients.
For the healthcare network security improvements, UCLA Health will hire three full-time consultants per year for two years for a total cost of $1.2 million and accelerate hardware acquisitions. As a result, the health system expects to complete the network security improvements one year ahead of schedule.
UCLA Health said it is also adding security features, increasing automation, and implementing an expanded security toolset to bolster the data security of its systems.
The health system has agreed to replace or upgrade existing network infrastructure to support features that improve data security.
As part of the settlement, UCLA Health admits to no wrongdoing, but maintains that it was not liable for the cyberattack and that there continues to be no evidence that the cyber attackers accessed or acquired personal or medical information.
“The parties are entering into this agreement to avoid the expense of further litigation and to provide benefits to the individuals whose information was maintained in UCLA Health’s computer network,” UCLA Health explained in a news release.
UCLA Health will also set up a $2 million fund to reimburse victims for any preventive measures and losses related to the breach. The money will be used to compensate potential victims if they incurred any cost in protecting their personal information or any unreimbursed loss because of identity theft.
“Types of preventive measures costs that may be reimbursed include, without limitation, card cancellation or replacement fees, credit monitoring or reports, the purchase of identity theft protection, costs to place a freeze, alert or unfreeze credit reports, and costs to replace driver’s license, state identification card, or social security number,” UCLA Health explained.
“Unreimbursed Losses may include losses to you from identity theft or unauthorized use of your personal information, including without limitation, charges, late fees, declined payment fees, overdraft fees, returned check fees and/or customer service fees,” it added.
Potential victims can receive reimbursement for preventative measures up to a maximum of $5,000 per individual and $300,000 in total. They can receive compensation for unreimbursed loss due to identity theft or other unauthorized use of personal information up to a maximum of $20,000 per individual and $2 million in total.
In addition, UCLA Health has agreed to provide two years of free credit monitoring and identity protection services, an insurance package, and other compensation to victims.
It also agreed to pay attorney’s fees and expenses, which totaled close to $3.3 million.
Plaintiffs Argued UCLA Health Was Negligent
In the original class-action lawsuit, the plaintiffs argued that UCLA Health was negligent in not taking basic cybersecurity steps to protect confidential patient data, including patient names, addresses, medical information, Medicare numbers, and Social Security numbers. As a result, hackers were able to gain access to that data.
In addition, the plaintiffs charged that UCLA Health was negligent in not reporting the breach in a timely fashion, as required by HIPAA.
UCLA Health first discovered suspicious activity on its network in October 2014 but did not report a breach until May 2015. In explaining the delay, the health system said: “At this time, there is no evidence that the attacker actually accessed or acquired the personal or medical information maintained on the impacted parts of the UCLA Health network, but we cannot conclusively rule out that possibility. Thus, we wanted to make potentially impacted individuals aware of this cyberattack and provide them with information about how to protect themselves.”
James Atkinson, who was interim associate vice chancellor and president of the UCLA Hospital System at the time of the original breach announcement, said in a statement: “Our patients come first at UCLA Health and confidentiality is a critical part of our commitment to care. We sincerely regret any impact this incident may have on those we serve. We have taken significant steps to further protect data and strengthen our network against another cyberattack.”