$185K Proposed Settlement Reached in Grays Harbor Data Breach Lawsuit

July 02, 2020 - Grays Harbor Community Hospital and Harbor Medical Group has reached a proposed $185,000 settlement with the 88,000 patients impacted by a June 2019 ransomware attack, which drove the Washington provider to EHR downtime for about two months. 

The notice and proposed settlement both stress that the agreement is not an admission of guilt. Officials said they continue to deny all lawsuit claims and charges of wrongdoing. 

Initially reported as EHR downtime in early June, hackers hit the computer systems of both the hospital and its clinics. An employee clicked on a malicious link contained in a phishing email, which deployed the ransomware payload. The incident occurred over a weekend when Grays Harbor IT staff was limited. 

The attack was first treated as an IT incident and servers were turned off to contain the spread of the malware. But the ransomware had rapidly spread during the early days of the attack, although the provider had traditional anti-virus and backups in place. Those backups were also infected during the attack. 

The clinics were hit hardest with its systems remaining down longer than the hospital, as the hospital’s older software prevented the ransomware from being installed properly on the main system. But patient care was not impacted: surgeries, routine appointments, and emergency care continued as scheduled. However, there was a five-day period where payments could not be processed. 

At the time, Gray’s Harbor officials stressed that they were a “cash-strapped” operation. And hackers demanded a $1 million ransom to release the locked data. The provider reportedly had a cyber insurance policy with a $1 million cap, which they hoped would cover the recovery costs. 

Grays Harbor did not disclose whether the ransom was paid, but about 88,000 patients were affected by the event as officials were unable to recover all of the data during the attack.

Some patients soon filed a lawsuit in an effort to recover costs incurred by the breach, alleging Grays Harbor violated the Washington State Uniform Healthcare Information Act, Washington State Constitution’s right to privacy, and the Washington State Consumer Protection Act.

Victims also claimed negligence, as well as an intrusion upon seclusion and an invasion of privacy, as well as a breach of express contract and implied contract.

If approved, the proposed settlement ensures Grays Harbor will pay no more than $185,000 for breach victims’ claims. If claims exceed that cap, the agreement will be reduced on a pro rata basis to reduce those costs. And breach victims must first exhaust all previously provided credit monitoring and identity theft insurance before the provider is responsible. 

“Grays Harbor shall reimburse... each settlement class member in the amount of his or her proven loss, but not to exceed $2,500 per claim (and only one claim per settlement class member), for a monetary out-of-pocket loss that is claimed ... to have occurred more likely than not as a result of the data incident,” according to the lawsuit. 

Grays Harbor has already invested at least $300,000 to improve its information security program since the security incident, with plans to invest at least $60,000 more on security improvements over the course of the next three years. 

Those security investments include: quarterly and annual penetration testing; the development of a formal remediation process; installing a next generation firewall; and the development of corporate security standards based on external standards. 

The proposal is the second healthcare data breach lawsuit settlement reported in the last week. After two years of litigation, UnityPoint Health recently reached a proposed $2.8 million settlement after two phishing-related breaches in 2018.