Top Class Actions reports:
A $7.5 million class action settlement has been reached, resolving claims that a July 2015 data breach exposed personal information stored by the UCLA Health Network.
The UCLA Health class action settlement provides $2 million to pay for unreimbursed loss claims and preventative measure claims. In addition, UCLA Heath has agreed to set up a cybersecurity enhancement fund of $5.5 million.
Read more and find the claim submission form for eligible class members on Top Class Actions.
UCLA Health Network’s original release about the incident can be read here. OCR closed its investigation of the incident with the following note/summary:
A hacker accessed parts of the covered entity’s (CE) computer network that contained the clinical and demographic information of approximately 4,500,000 individuals. The CE reported the incident to the Federal Bureau of Investigation and conducted a forensic analysis of the incident. The CE provided breach notification to HHS, affected individuals, and the media, and also posted substitute notice. Following the breach, the CE implemented technical and administrative safeguards designed to help detect and contain any future cyber-attacks. OCR obtained assurances that the CE implemented the corrective actions above.
So that was it as far as HHS was concerned, but of course, that doesn’t stop anyone from suing an entity over a breach. The consolidated case is:
Adlouni v. UCLA Health System Auxiliary, et al., Case No. BC589243, in the Superior Court of the State of California, County of Los Angeles.
The final court hearing is scheduled for June 18, 2019.
I’m curious as to what the additional $5.5 million security enhancements are to be — and are these over and above what UCLA Health Network had already agreed to implement as part of HHS’s investigation? Maybe someone can do a deeper dive into the security upgrade issue in this case.