A proposed settlement for a 2020 breach requires BJC HealthCare to implement MFA for email access, estimated to cost $2.7 million. (Photo by Mark Wilson/Getty Images)

BJC HealthCare reached a settlement with the 287,873 patients impacted by a 2020 protected health information breach of its email system brought on by a successful phishing attack. Nineteen of its affiliated hospitals were involved in the incident.

Each affected patient will receive up to $250 for bank fees, interest, credit monitoring costs, postage, mileage and up to three hours of lost time. Individuals who’ve faced extraordinary expenses as a direct result of the hack may also qualify for up to $5,000 in reimbursement.

The proposed settlement also requires BJC HealthCare to implement multi-factor authentication for email access to reduce the risk of phishing, projected to cost $2.7 million. Depending on how many of the patients file claims, the overall settlement costs could be staggering.

BJC Health has been defending itself against allegations that its poor cybersecurity policies and practices directly led to a 2020 phishing attack and subsequent PHI breach. In May 20202, the Missouri-based provider notified patients that their data was exposed during a phishing attack two months earlier. 

Three employees were duped by the phishing emails on March 6 and detected by the security team on the same day. The investigation determined the phishing attack enabled the threat actor to gain access to the accounts for only one day.

The accounts contained a trove of patient data including Social Security numbers, medical record or patient account numbers, provider names, treatments, medications, and clinical data. BJC could not rule out whether the emails, attachments, or patient data were viewed by the attacker during the incident. Nineteen affiliated hospitals were affected by the security incident.

What was notable, however, was that this was the third healthcare data breach reported by BJC in two years. In March 2018, a data server misconfiguration exposed the data of 33,420 patients for nearly a year. Later that year, malware was installed onto its patient portal, which allowed a hacker to intercept the credit and debit card numbers of 5,850 for approximately one month.

After the May 2020 notification, five separate class-action lawsuits were filed against BJC over the incident, which claimed that its failure to implement and follow basic security procedures enabled the success of the phishing attack.

BJC was also accused of failing to adequately encrypt, if at all, the PHI in its possession, while failing to follow contractually agreed upon security standards in direct violation of the HITECH Act and Health Insurance Portability and Accountability Act.

The lawsuit claims these missteps have put patients at an increased risk of identity theft and are “immediately and imminently in danger of sustaining some or further direct injury/injuries as a result of the identity theft they suffered when [BJC] did not protect and secure the PHI and disclosed the PHI to hackers.” 

Under the proposed settlement, BJC must provide breach victims with the aforementioned payments, in addition to two years of credit monitoring services. The health system has also agreed to bolster its cybersecurity policies to better protect patient information, including conducting mandatory cybersecurity training annually and during new hire orientation.

The settlement also requires BJC Health to apply periodic training updates to reflect new information security issues. The health system must also maintain a written password policy that requires the appropriate password complexity.

The MFA project must target remote access to the email systems. The estimated $2.7 price tag will include $1.22 million for the initial implementation and another $1.5 million for annual maintenance. However, these are “reasonable estimates only.” The MFA project is required, but BJC is not mandated to “spend a particular dollar amount towards these measures.”

BJC is also required to pay the costs for notifying breach victims of the settlement, as well as related fees and attorneys’ costs, up to $790,000 to Missouri Class Counsel and up to $415,000 for the Illinois Class Counsel. Named plaintiffs may receive up to $2,000.

“As detailed herein, the settlement surely satisfies the preliminary approval standard of likely to be approved as fair, reasonable, and adequate,” according to the proposal.