Hospital billing vendor settles $2Mn data breach lawsuit
WASHINGTON, UNITED STATES — Kaye-Smith Enterprises, a hospital billing and mailing vendor, has agreed to a $2 million settlement after a 2022 cyberattack exposed sensitive personal data from five healthcare systems.
The breach affected patients of MultiCare Health System, UW Medicine, Geisinger, Seattle Children’s, and St. Luke’s Health System.
The attack compromised personally identifiable information (PII), including names, social security numbers, credit scores, and medical details. Hackers reportedly deployed ransomware and potentially exfiltrated data from Kaye-Smith’s systems.
Compensation for affected individuals
Under the settlement terms, affected individuals can claim up to $2,500 for documented losses associated with the breach or opt for a $500 cash payment. Additionally, class members are eligible for 12 months of complimentary credit monitoring services. Claims must be submitted by December 26, 2024.
Eligible individuals can also seek reimbursement for up to five hours of time spent addressing breach-related issues at $25 per hour. Businesses impacted by the incident may file claims for financial losses tied to the breach.
Allegations and denial of liability
The class action lawsuit alleged that Kaye-Smith failed to implement adequate cybersecurity measures and delayed notifying victims of the breach. Plaintiffs argued that the breach resulted from negligent practices that left sensitive data vulnerable to cyberattacks.
While denying any wrongdoing, Kaye-Smith opted to settle the case to avoid prolonged litigation costs and uncertainties. The company has since enhanced its cybersecurity protocols in response to the incident.
Final approval hearing scheduled
A final court hearing is set for January 7, 2025, to determine whether the settlement will receive final approval.
Individuals who wish to object or exclude themselves from the settlement must do so by December 26 or December 2, respectively.
Next steps for affected patients
Patients who received a Notice of Data Incident or believe they were impacted can visit the settlement website for instructions on filing claims or accessing credit monitoring services. Those who take no action will waive their right to compensation or further legal claims against Kaye-Smith.
This case underscores the growing risks of cyberattacks in healthcare and highlights the importance of robust data protection measures to safeguard patient information in an increasingly digital landscape.
