UCLA Health has agreed to pay $7.5 million to settle a class-action lawsuit brought by patients after a data breach put their personal and health information at risk, according to the HIPAA Journal.
The university health system discovered suspicious activity on its network in October 2014 and contacted the FBI for help. At that time, it was assumed no medical records had been compromised, but by May 2015, it was discovered that hackers had gained access to patients protected health information.
About 4.5 million patients were affected by the breach.
The HHS Office for Civil Rights determined UCLA Health followed the appropriate protocol and was satisfied with the university health system's post-breach efforts to improve security, according to the Journal.
But patients were not as satisfied and filed a class-action suit, arguing UCLA Health failed to notify them about the data breach in a timely manner, there had been a breach of contract, and that failing to protect patients' privacy was negligence, according to the report.
UCLA Health alerted patients July 15, 2015, about the data breach. HIPAA requires that organizations notify affected personnel in less than 60 days from the discovery that personal health information has been affected. The patients claimed UCLA should have notified them more promptly, as the incident happened nine months prior to their notice.
Patients have until May 20 to object to the settlement. They can claim up to $5,000 to cover identify protection costs and up to $20,000 for any losses or damages caused by the data breach.
Of the $7.5 million settlement, $2 million has been set aside for patient claims. The other $5.5 million will go toward UCLA Health developing a cybersecurity fund to improve cybersecurity defenses.