Grays Harbor Community Hospital Ransomware Lawsuit May be Settled for $185,000

by | Jul 6, 2020

Following mediation talks, there has been an agreement to a proposed settlement between Grays Harbor Community Hospital and Harbor Medical Group and the representative plaintiff in a proposed class action lawsuit connected to a June 2019 ransomware attack that lead to the encryption of patient data.

In order to avoid the uncertainty of a trial and the costs of further litigation, the settlement was negotiated by the plaintiff and Grays Harbor. The settlement was not decided in favor of either party by the Court.

The ransomware attack that resulted in the legal action was discovered during June 2019. The Washington healthcare supplier disabled its systems to contain the virus that had stopped servers from being accessed, but not in time to stop its computer systems from being encrypted. Grays Harbor had backed up its data in preparation for such an attack, but the backup files were also encrypted in the attack. The attack took its electronic health record system offline for almost two months.

A ransom demand of $1 million was issued by the hackers for the keys to decrypt the data. Gray’s Harbor had an insurance policy that supplied cover of up to $1 million, although it is unclear whether that insurance policy paid out and if the ransom was paid. Regardless, it was not possible to retrieve all data encrypted in the attack and some patients’ protected health information was not retrieved.

The lawsuit alleged that breaches took place in relation to the Washington State Consumer Privacy Act, the Washington State Uniform Healthcare Information Act, the Washington State Consumer Privacy Act, the state Constitution’s Right to Privacy, that Grays Harbor Community Hospital and Harbor Medical Group were negligent for failing to protect the privacy of patients, breach of express contract, breach of implied contract, and an intrusion upon seclusion/ invasion of privacy.

There was no admission of liability in the settlement with Grays Harbor Community Hospital and Harbor Medical Group. All claims stated in the lawsuit have been dismissed.

Grays Harbor Community Hospital and Harbor Medical Group proposed a settlement of $185,000 to meet the claims of the 88,000 patients affected by the ransomware attack. Impacted patients can file claims up to a maximum of $210 per person to cover out-of-pocket monetary losses incurred due tothe breach and up to three hours of documented lost time dealing with the fallout from the breach at a rate of $15 per hour.

Claims up to $2,500 will also be accepted to take into account provable other losses incurred that were more likely than not due to the ransomware attack. All available credit monitoring insurance and identity theft insurance must be drained before Grays Harbor is responsible for any larger payouts. If the claims are higher than $185,000 they will be paid pro rata to reduce costs.

Class members have a deadline of July 27, 2020 to exclude themselves from the settlement or submit an objection. A fairness hearing has been set for August 31, 2020. To receive a share of the settlement fund, a claim must be submitted before the end of December 23, 2020.

After the ransomware attack, measures were introduced to enhance security and more than $300,000 has been invested in information security. A further $60,000 will be spent on security enhancements over the next three years.

This is the second data breach settlement to be revealed this week.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy