California health system to pay $7.5M to patients in breach settlement

California-based St. Joseph Health System must pay $7.5 million in a class-action lawsuit after a breach in which the personal health data of more than 31,000 patients was made accessible online, according to a court document.

In January 2012 a St. Joseph patient, Danna Graewingholt, found her personal health information through a Google search. She notified the health system that her data and that of several thousand other patients was all available online.

Following Graewingholt's discovery, the health system sent letters to patients informing them that information such as diagnosis, active medication lists, lab results, smoking status, race, genders and birth dates was inadvertently made available online, according to the documents.

Individuals impacted were patients at a number of the health system's facilities, including but not limited to Mission Hospital Regional Medical Center, St. Jude Hospital, Queen of the Valley Medical Center, Santa Rosa Memorial Hospital and Petaluma Valley Hospital Auxiliary.

St. Joseph must pay all patients whose medical information was accessible on the Internet at any point from Feb. 1, 2011, through Feb. 28, 2012, which will come out to about $242 per patient.

Other healthcare organizations have been hit in recent months with fines after breaches and data security incidents.

For instance, in December, the University of Washington Medicine paid $750,000 in a settlement with the Health and Human Services Department's Office for Civil Rights after a potential breach of patient information where an employee downloaded an attachment to an email that contained malware.

And in November, Lahey Hospital and Medical Center agreed to pay $850,000 and implement a robust corrective action plan in a HIPAA settlement with HHS stemming from the 2011 theft of a laptop.

To learn more:
- here's the court document (.pdf)