Healthcare Information Security


$7.5M Healthcare Data Breach Settlement for St. Joseph Health

The settlement revolved around a healthcare data breach from 2012 where PHI was made available via internet search engines.

By Sara Heath

- A class-action lawsuit against St. Joseph Health System for a 2012 healthcare data breach has been resolved, resulting in SJHS paying the class members $242 each, splitting the total settlement check of $7.5 million.


According to court documents, this settlement notes not only the $7.5 million settlement, but also $3 million set aside for patients who may apply for up to $25,000 each if they suffered identity theft. The documents also show that SJHS has also invested a considerable amount of money into notifying patients of the data breach, complying with federal security regulations, offering free credit monitoring for potentially affected individuals, and new and additional security measures.

This class action lawsuit was the result of a healthcare data breach that reportedly occurred at SJHS between 2011 and 2012 when PHI was somehow made searchable via internet search engine. This breach was discovered by one of the class members, Danna Graewingholt, who found her health information was available online.

After consulting with a lawyer, Graewingholt notified SJHS’s legal department. The hospital then uncovered the breach, finding that potentially breached information included patient names, medical data such as body mass index, smoking status, blood pressure, lab results, diagnoses, medication allergies, demographic information, and advance directive status.

The data came primarily from inpatient records for individuals receiving care between February and August of 2011.

The total number of potentially affected individuals spanned a number of SJHS’s facilities, including Mission Hospital Regional Medical Center, St. Jude Hospital, Queen of the Valley Medical Center, Santa Rosa Memorial Hospital, Petaluma Valley Hospital Auxiliary, The Auxiliary of Mission Hospital Laguna Beach, The Auxiliary of Mission Hospital Mission Viejo, Saint Joseph Hospital of Orange, Saint Joseph Hospital of Eureka and Redwood Memorial Hospital of Fortuna.

The breach reportedly resulted in 31,802 potentially affected individuals.

As noted above, the healthcare system responded by notifying local and federal authorities, notifying patients, and issuing one year free subscription to credit monitoring services.

However, a group of potentially affected individuals came forward with a lawsuit against the health system, alleging wrongdoing on four accounts, the court documents state, including:

  • violation of the CMIA [Confidentiality of Medical Information Act];
  • negligence;
  • money had and received; and
  • violation of the California Unfair Competition Law (UCL), California Business and Professionals Code, Section 17200, et. Seq

Healthcare data breaches often do result in these kinds of class action lawsuits.

 In the middle of last year, patients potentially affected by a healthcare data breach at the Office of Personnel Management (OPM) filed a class action lawsuit, claiming that OPM had inadequate security provisions to protect PHI and that it consistently failed to meet Federal Information Security Management Act guidelines.

UCLA Health is also facing a class action lawsuit following the large-scale healthcare data breach that potentially affected nearly 4.5 million patients.

The class members, led by plaintiff Michael Allen, argue that UCLA Health was negligent in its efforts to notify the potentially affected individuals of the breach in a timely manner. UCLA Health reportedly discovered this breach on May 5, 2015, and the attack is believed to have occurred in September 2014.

Additionally, the class members allege that UCLA Health did not take far enough measures to protect itself from the healthcare data breach.


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks