United Health Centers of the San Joaquin Valley Reaches Proposed Data Breach Settlement

October 14, 2022 - United Health Centers (UHC) of the San Joaquin Valley reached a proposed class-action settlement agreement to resolve allegations surrounding an August 2021 data breach.

UHC’s notice to the public explained that on August 28, 2021, the health system experienced “technical difficulties” later determined to be an “encryption event.”

Some information was compromised as a result of the event, including Social Security numbers, diagnosis codes, provider and facility names, patient reference numbers, medication information, driver’s license and passport information, and care plan and allergy information.

“UHC said nothing to the public or to its patients until November 19, 2021, almost three months after the incident and two months after PHI was posted on the Dark Web,” the class-action complaint alleged.

The “encryption event” was later claimed by ransomware threat group Vice Society, which has been observed targeting the healthcare sector in the past.

“As a result of the unauthorized access to their Sensitive Information, Plaintiffs and class members suffered injury and damages, including: an increased risk of identity theft or identity fraud; improper disclosure of their medical information; the time and expense necessary to mitigate the heightened risk of identity theft or fraud; and extreme emotional distress and anxiety as a result of the heightened risk of identity theft or fraud, as well as the fact that their personal and medical information was accessed by a third-party,” the complaint stated.

The settlement is not an admission of guilt, and UHC maintained that it had “valid and complete defenses to the claims asserted against it.”

However, UHC chose to “avoid the additional expense, burden, inconvenience, and uncertainty” of continuing litigation.  

Impacted individuals may be eligible to receive up to $2,500 for economic losses related to the incident. Additionally, class members may submit a claim for up to $500 for non-economic losses traceable to the data security incident.

All class members will also be eligible to sign up for three years of credit monitoring and identity restoration services through the settlement agreement.