Grays Harbor Community Hospital Ransomware Lawsuit May be Settled for $185,000

Airman 1st Class Brandon Koch, 28th Communications Squadron cyber systems operator, plugs a cable into a network server at Ellsworth Air Force Base, S.D., March 3, 2015. Airmen conduct walkthrough inspections of the server room daily to ensure all cables are functioning properly. (U.S. Air Force photo by Airman 1st Class Zachary Hada/Released)

Following mediation talks, there has been an agreement to a proposed settlement between Grays Harbor Community Hospital and Harbor Medical Group and the representative plaintiff in a proposed class action lawsuit connected to a June 2019 ransomware attack thatlead to the encryption of patient data.

In order to avoid the uncertainty of a trial and the costs of further litigation, the settlement was negotiated by the plaintiff and Grays Harbor. The settlement was not decided in favor of either party by the Court.

The ransomware attack that resulted in the legal action was discovered during June 2019. The Washington healthcare supplier disabled its systems to contain the virus that had stopped servers from being accessed, but not in time to stop its computer systems from being encrypted. Grays Harbor had backed up its data in preparation for such an attack, but the backup files were also encrypted in the attack. The attack took its electronic health record system offline for almost two months.

A ransom demand of $1 million was issued by the hackers for the keys to decrypt the data. Gray’s Harbor had an insurance policy that supplied cover of up to $1 million, although it is unclear whether that insurance policy paid out and if the ransom was paid. Regardless, it was not possible to retrieve all data encrypted in the attack and some patients’ protected health information was not retrieved.

The lawsuit alleged that breaches took place in relation to the Washington State Consumer Privacy Act, the Washington State Uniform Healthcare Information Act, the Washington State Consumer Privacy Act, the state Constitution’s Right to Privacy, that Grays Harbor Community Hospital and Harbor Medical Group were negligent for failing to protect the privacy of patients, breach of express contract, breach of implied contract, and an intrusion upon seclusion/ invasion of privacy.

There was no admission of liability in the settlement with Grays Harbor Community Hospital and Harbor Medical Group. All claims stated in the lawsuit have been dismissed.

Grays Harbor Community Hospital and Harbor Medical Group proposed a settlement of $185,000 to meet the claims of the 88,000 patients affected by the ransomware attack. Impacted patients can file claims up to a maximum of $210 per person to cover out-of-pocket monetary losses incurred due tothe breach and up to three hours of documented lost time dealing with the fallout from the breach at a rate of $15 per hour.

Claims up to $2,500 will also be accepted to take into account provable other losses incurred that were more likely than not due to the ransomware attack. All available credit monitoring insurance and identity theft insurance must be drained before Grays Harbor is responsible for any larger payouts. If the claims are higher than $185,000 they will be paid pro rata to reduce costs.

Class members have a deadline of July 27, 2020 to exclude themselves from the settlement or submit an objection. A fairness hearing has been set for August 31, 2020. To receive a share of the settlement fund, a claim must be submitted before the end of December 23, 2020.

After the ransomware attack, measures were introduced to enhance security and more than $300,000 has been invested in information security. A further $60,000 will be spent on security enhancements over the next three years.

This is the second data breach settlement to be revealed this week.