Skip to content Skip to navigation

St. Joseph Health Settles Class Action Data Breach Lawsuit

March 16, 2016
by Heather Landi
| Reprints
Click To View Gallery

Irvine, Calif.-based St. Joseph Health System has settled a class action lawsuit filed by two plaintiffs after the breach of 31,800 patient health records in 2012, as reported by the Orange County Register. The settlement, finalized last month in California Superior Court in Orange County, provides a total cash payment of $7.5 million to participating settlement class members, 31,074 plaintiffs, who will each receive roughly $241.

Healthcare Informatics obtained a copy of the court document through the webpage,, posted on the website of Kurtzman Carson Consultants (KCC), a class action settlement administrator.

The court document indicates that on February 13, 2012, St. Joseph Health System sent letters to approximately 31,802 of its patients, notifying them that it had inadvertently made their personal health information publicly accessible on the Internet, which allowed outside search engines to have access to the information. The information was accessible for a year, from February 2011 to February 2012.

“The letter stated that the type of information accessible included the following: diagnoses lists, active medication lists, lab results, medication allergies, body mass index (BMI), blood pressure, smoking status, advance directive status and demographic information, including spoken language, ethnicity, race, gender and birth date,” the court document stated.

The court documents state the in the lawsuit plaintiffs alleged that four causes of action by the health system led to the data breach: violation of the Confidentiality of Medical Information Act (CMIA); negligence; money had and received; and violation of the California Unfair Competition Law (UCL), California Business and Professionals Code, Section 17200. However, the court documents do not indicate how the patient health data become searchable on internet search engines.

And, the court documents indicates that a $3 million fund has been established to cover identity theft losses resulting from the exposure of patient health data. Each patient can apply for up to $25,000 if they suffered identity theft losses as a result of the data breach.

The court documents also indicate that St. Joseph also offered one year of identity theft and credit monitoring to 31,802 patients affected by the breach, which totaled $4.5 million. And, the health system spent $13 million to institute policies to comply with state and federal authorities and instituting numerous security-related remedial measures. And, St. Joseph also must pay $7.4 million in attorney’s fees and costs.

According to the article in the Orange County Register, the breach primarily involved patients of St. Jude Medical Center in Fullerton and Mission Hospital in Mission Viejo and Laguna Beach. But roughly one-third of the patients were treated at other St. Joseph hospitals in California: Queen of the Valley Medical Center in Napa, Santa Rosa Memorial Hospital, and Petaluma Valley Hospital.

The Orange County Register article also cited a statement released by the health system in which St. Joseph Health System leadership said they regretted “any undue concern to our patients” and said addresses, Social Security numbers and financial data were not released. The health system also said the information was removed from search engines.

“Additionally since the situation was discovered, we have invested in a number of initiatives to ensure the continued security of patient data, including enhanced data security infrastructure. These measures and more are intended to provide for the safety and security of our patients’ information,” the statement from St. Joseph Health System said, as quoted by the Orange County Register.



CMS Hospital Compare Website Updated with VA Data

The Centers for Medicare & Medicaid Services (CMS) has announced the inclusion of Veterans Administration (VA) hospital performance data as part of the federal agency’s Hospital Compare website.

CMS Awards Funding to Special Innovation Projects

The Centers for Medicare & Medicaid Services (CMS) has awarded 20, two-year Special Innovation Projects (SIPs) aimed at local efforts to deliver better care at lower cost.

Center of Excellence in Genomic Science to be Established in Chicago

The National Human Genome Research Institute has awarded $10.6 million over five years for the establishment of a new research center in Chicago to advance genomic science.

EHNAC and HITRUST Combine HIPAA Security Criteria, CSF Framework

The Electronic Healthcare Network Accreditation Commission (EHNAC) and the Health Information Trust Alliance (HITRUST) announced plans to streamline their accreditation and certification programs.

Halamka on MACRA Final Rule: “CMS is Listening and I Thank Them”

Health IT notable expert John Halamka, M.D., CIO of Beth Israel Deaconess Medical Center in Boston, recently weighed in on the Medicare Access and CHIP Reauthorization Act (MACRA) final rule.

Texas Patient Care Clinic Hit with Ransomware Attack

Grand Prairie, Texas-based Rainbow Children's Clinic was the victim of a ransomware attack on its IT systems in August, affecting more than 33,000 patients, according to multiple news media reports this week.