Cornerstone Specialty Hospitals pays $2.35m to settle data breach class action lawsuit

U.S. hospital chain Cornerstone Specialty Hospitals has agreed to pay $2,350,000 to settle a class action lawsuit related to a data breach that affected close to 500,000 individuals.

The hospital chain, that provides medical and surgical services through six facilities in Arkansas, Oklahoma, Texas, and West Virginia, agreed to pay the settlement amount in the Court of the Western District of Kentucky, Louisville Division. The amount covers compensation to the affected victims, settlement fund taxes and attorneys’ fees and expenses.

The lawsuit, Mireles v. Cornerstone Healthcare Group Management Services LLC d/b/a/ Cornerstone Specialty Hospitals, alleged that the healthcare organisation failed to take necessary and appropriate steps to secure patient data stored in its network and suffered a data breach as a result.

The lawsuit also stated that Cornerstone took more than six months to notify affected patients about the data breach. The healthcare organisation did not admit liability but agreed to settle the lawsuit to avoid further legal costs, plus pay additional compensation, capped at a maximum of $10,000 per individual, to those who suffered documented losses due to the data breach.

The class action  lawsuit was filed after Cornerstone Specialty Hospitals revealed that it suffered a data breach incident on December 19, 2023, that compromised data associated with some of its facilities. The company’s subsequent investigation into the incident revealed that hackers had compromised it patients’ sensitive personal and healthcare information.

"Types of information that were subject to unauthorized access vary by individual but may include: name, Social Security number, date of birth, federal or state ID number, financial account information, credit or debit card information, digital signature, email address and password, username and password, passport number, medical or health information, health insurance information, and other protected health information," Cornerstone said.

"Out of an abundance of caution, Cornerstone is offering credit monitoring and identity protection services to those who were impacted at no cost. In addition, Cornerstone is advising those who were impacted to stay vigilant and closely review and monitor their financial accounts, statements, credit reports and other financial information for any evidence of unusual activity, fraudulent charges or signs of identity theft," the hospital chain added. The hospital later informed the HHS’ Office for Civil Rights that the data breach impacted 484,957 individuals.