Skip to main content

Data Breach Lawsuit Costs Salinas Valley Memorial Healthcare System $340K

Analysis  |  By Amanda Schiavo  
   August 10, 2022

The healthcare provider admitted to no wrongdoing in the settlement.

Salinas Valley Memorial Healthcare System—a Salinas, California-based healthcare provider with 263 hospital beds and over $660 million in total revenue—has agreed to settle a class action lawsuit over claims its security system failed to protect patient information from a data breach.

According to the settlement, between April 30, 2020, and June 5, 2020, the healthcare system found that employee emails had been compromised and patients’ personal information, including names, hospital account numbers, medical record numbers, attending physician information, services, and other medical information, was hacked.  The breach was reported to the Department of Health and Human Services on June 29, 2020, and impacted 2,384 patients. Patients have until August 26, 2022, to file a claim.

"On May 7, 2020, and June 5, 2020, respectively, SVMHS subsequently determined that email accounts of a contractor and three other employees were also compromised," the hospital wrote in its initial disclosure of the breach. "These five email accounts were compromised through Outlook Web Access, SVMHS’s browser-based email access solution. Based on our review of the emails within the compromised inboxes, we determined that certain emails containing personal information was present in one of the inboxes. Our investigation to date has suggested, however, that the unauthorized person(s) only had access to the inboxes for a matter of hours before we disabled access to the accounts."

Healthcare data attacks hit an all-time high of 45 million individuals affected in 2021, according to research from cybersecurity firm Critical Insight. That’s a rise from the 34 million individuals affected in 2020, and triple the number of people impacted in 2018.

Salinas Valley Memorial Healthcare System agreed to settle the lawsuit to avoid a more costly litigation process but did not admit any wrongdoing in the settlement.  As part of the settlement, the healthcare system agreed to implement improved data security practices, including third-party auditors to conduct regular penetration tests, better maintenance of firewalls and access controls, improved data security training, and regular computer system scanning and security checks.

Amanda Schiavo is the Finance Editor for HealthLeaders.

Get the latest on healthcare leadership in your inbox.