Data Breach Settlement: BJC HealthCare Agrees to Put $2.7M Into Email Security

July 20, 2022 - BJC HealthCare agreed to put $2.7 million toward implementing multifactor authentication (MFA) and other email security measures under the terms of a data breach settlement.

The lawsuit stemmed from a 2020 phishing attack that impacted 19 hospitals affiliated with the Missouri health system and approximately 288,000 individuals. During the March 2020 attack, an unauthorized party was able to gain access to three email accounts for one day.

The accounts contained medial record and patient account numbers, provider names, health insurance information, Social Security numbers, and other protected health information (PHI). BJC HealthCare notified impacted individuals of the incident in May 2020.

Following the phishing attack, five class-action lawsuits were filed against BJC. The plaintiffs largely alleged that BJC neglected its duties to safeguard protected health information (PHI) under HIPAA and that it failed to implement adequate security measures to prevent unauthorized access.

Under the settlement agreement, class members are eligible to receive up to $250 for ordinary out-of-pocket expenses, including credit report fees, late fees, postage, mileage, bank and credit card fees, and other costs. Class members who experienced extraordinary out-of-pocket losses, including costs relating to documented or attempted identity theft and fraud, are eligible for up to $5,000.

BJC HealthCare agreed to take four corrective actions to improve the security and privacy of its patients’ information. First, BJC will be required to maintain a written security policy that must be available to all employees.

Second, BJC agreed to conduct mandatory annual cybersecurity training classes, periodic training updates as new security issues come up, and a new hire orientation.

Third, BJC HealthCare also agreed to maintain a written password policy with specific password complexity requirements. Finally, BJC agreed to implement MFA for remote access to email.

BJC estimated that the costs of these actions will amount to approximately $2.7 million, including $1.2 million for initial implementation and nearly $1.5 million for annual maintenance costs.

“These figures are reasonable estimates only, and while BJC must comply with such equitable relief, BJC is not required to spend a particular dollar amount towards these measures but is required to materially comply,” the settlement noted.

The 2020 phishing attack was BJC HealthCare’s third security incident in the span of two years. In March 2018, a data server misconfiguration exposed the data of 33,420 patients for almost one year. In December 2018, an unauthorized party hacked BJC HealthCare’s patient portal and potentially accessed the credit and debit card numbers of 5,850 individuals for one month.