Atlantic General Hospital reaches $2.25m settlement with patients over 2023 data breach

Maryland-based healthcare provider Atlantic General Hospital has reached a $2.25 million settlement with affected patients over a data security incident in January 2023 that compromised their personal and health information.

 

In January last year, Atlantic General Hospital said that it discovered “encrypted files on certain computer systems” and immediately launched an investigation with the assistance from external forensic experts to understand the nature and scope of the security incident.

 

The investigation revealed that malicious actors gained unauthorised access to portions of Atlantic General’s  internal network on January 20, 2023, and accessed certain files that contained sensitive personal data of its patients and staff.

 

The compromised information included patients’ names, social security numbers, driver’s license numbers, financial account information, dates of birth, medical record numbers, treating/referring physicians, health insurance information, subscriber numbers, medical history information, diagnosis, and treatment information. Atlantic General added that at least 136,981 people were impacted by the data security incident.

 

Following the data security incident, the affected individuals filed a class action lawsuit alleging that AGH failed to properly implement data security measures that could have prevented threat actors from infiltrating its network and accessing the sensitive personal information of its patients.

 

“It is clear that AGH failed to take sufficient and reasonable measures to safeguard its data security systems and protect highly sensitive data in order to prevent the Data Breach from occurring; to disclose to its patients, and the public at large, that it lacked appropriate data systems and security practices to secure Private Information; and to timely detect and provide adequate notice of the Data Breach to affected individuals,” reads the consolidated complaint.

 

The plaintiffs argued that apart from the imminent danger of identity theft and other cyber crimes that they are now exposed to, the plaintiffs had to bear out-of-pocket expenses and loss of time.

 

AGH did not admit to any wrongdoing but agreed to a settlement of $2.25 million where class members can submit valid claims to receive up to $5,000 for reimbursement of documented losses incurred due to the data breach.