Nebraska Medicine Data Breach Lawsuit Has Proposed Settlement

Complaint Alleged Multiple Security ‘Failures’ Leading to 2020 Cyberattack

A federal court has approved a proposed settlement in a class-action lawsuit filed in February against Nebraska Medicine. This is in the wake of a 2020 malware attack and exfiltration of sensitive personal data and medical records of tens of thousands of individuals.

The costs of the proposed settlement could exceed $37 million in patient reimbursements.  Out of the nearly 216,500 individuals affected by the breach, roughly 126,000 are eligible for reimbursement.

Security Enhancements
In addition to the benefits to eligible class members, the settlement calls for Nebraska Medicine to take a series of measures to bolster its data security practices.

Those include that Nebraska Medicine:

  • Implement and enhance password, user-identity, email and user-browsing protocols;
  • Enhance and limit remote access capabilities;
  • Update and strengthen network security and system security measures, such as endpoint, vulnerability and firewall measures.

The settlement also calls for Nebraska Medicine to implement, update and enhance its security operations center and conduct periodic enhanced risk assessments.

Among other claims, the lawsuit alleges that a series of Nebraska Medicine security failures led to attackers in late 2020 stealing patient data.

Court documents contend Nebraska of Medicine failed to maintain “an adequate data security system to reduce the risk of data breaches and cyberattacks,” including failing to:

  • Adequately protect patients’ private information;
  • Properly monitor its data security systems for existing intrusions, brute-force attempts and clearing of event logs;
  • Apply all available security updates and install the latest software patches, update its firewalls, check user account privileges, or ensure proper security practices;
  • Practice the principle of least-privilege and maintain “credential hygiene”;
  • Avoid the use of domain-wide, admin-level service accounts;
  • Employ or enforce the use of “strong randomized, just-in-time local administrator passwords.”

It is increasingly common for data incident-related class action settlements to force the breached entities to improve their security. The proposed settlement from the lawsuit “is consistent with other recent negotiated resolutions,” notes privacy attorney David Holtzman of the consulting firm HITprivacy LLC, who was not involved in the lawsuit.

“The costs for these security improvements can be substantial, adding to the overall value of the settlement amount,” Holtzman says.

With hacking and ransomware on the rise across all industries, the healthcare sector remains a prime target for criminals. If you have questions about your IT security, call ITPAC today.