St. Joseph Health Settles Class Action Data Breach Lawsuit | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

St. Joseph Health Settles Class Action Data Breach Lawsuit

March 16, 2016
by Heather Landi
| Reprints
Click To View Gallery

Irvine, Calif.-based St. Joseph Health System has settled a class action lawsuit filed by two plaintiffs after the breach of 31,800 patient health records in 2012, as reported by the Orange County Register. The settlement, finalized last month in California Superior Court in Orange County, provides a total cash payment of $7.5 million to participating settlement class members, 31,074 plaintiffs, who will each receive roughly $241.

Healthcare Informatics obtained a copy of the court document through the webpage,, posted on the website of Kurtzman Carson Consultants (KCC), a class action settlement administrator.

The court document indicates that on February 13, 2012, St. Joseph Health System sent letters to approximately 31,802 of its patients, notifying them that it had inadvertently made their personal health information publicly accessible on the Internet, which allowed outside search engines to have access to the information. The information was accessible for a year, from February 2011 to February 2012.

“The letter stated that the type of information accessible included the following: diagnoses lists, active medication lists, lab results, medication allergies, body mass index (BMI), blood pressure, smoking status, advance directive status and demographic information, including spoken language, ethnicity, race, gender and birth date,” the court document stated.

The court documents state the in the lawsuit plaintiffs alleged that four causes of action by the health system led to the data breach: violation of the Confidentiality of Medical Information Act (CMIA); negligence; money had and received; and violation of the California Unfair Competition Law (UCL), California Business and Professionals Code, Section 17200. However, the court documents do not indicate how the patient health data become searchable on internet search engines.

And, the court documents indicates that a $3 million fund has been established to cover identity theft losses resulting from the exposure of patient health data. Each patient can apply for up to $25,000 if they suffered identity theft losses as a result of the data breach.

The court documents also indicate that St. Joseph also offered one year of identity theft and credit monitoring to 31,802 patients affected by the breach, which totaled $4.5 million. And, the health system spent $13 million to institute policies to comply with state and federal authorities and instituting numerous security-related remedial measures. And, St. Joseph also must pay $7.4 million in attorney’s fees and costs.

According to the article in the Orange County Register, the breach primarily involved patients of St. Jude Medical Center in Fullerton and Mission Hospital in Mission Viejo and Laguna Beach. But roughly one-third of the patients were treated at other St. Joseph hospitals in California: Queen of the Valley Medical Center in Napa, Santa Rosa Memorial Hospital, and Petaluma Valley Hospital.

The Orange County Register article also cited a statement released by the health system in which St. Joseph Health System leadership said they regretted “any undue concern to our patients” and said addresses, Social Security numbers and financial data were not released. The health system also said the information was removed from search engines.

“Additionally since the situation was discovered, we have invested in a number of initiatives to ensure the continued security of patient data, including enhanced data security infrastructure. These measures and more are intended to provide for the safety and security of our patients’ information,” the statement from St. Joseph Health System said, as quoted by the Orange County Register.

Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Cedars-Sinai Collaborates on Organs-on-Chip Precision Medicine Project

Scientists at Los Angeles-based Cedars-Sinai, in partnership with biotechnology startup Emulate, are pioneering a Patient-on-a-Chip program to help predict which disease treatments would be most effective based on a patient's genetic makeup and disease variant.

Blockchain Company Hashed Health Gets New Partner

ODH, Inc., a New Jersey-based health technology company, has joined with blockchain innovation consortium Hashed Health.

NCQA Approved by Government as ONC-Authorized Testing Lab

The National Committee for Quality Assurance (NCQA) has announced that its eMeasure testing laboratory is now approved by the Office of the National Coordinator for Health Information Technology (ONC).

Survey: Infrastructure, Interoperability Key Barriers to Global HIT Development

A new survey report from Black Book Research on global healthcare IT adoption and records systems connectivity finds nations in various phases of regional electronic health record (EHR) adoption. The survey results also reveal rapidly advancing opportunities for U.S.-based and local technology vendors.

Penn Medicine Opens Up Telehealth Hub

Philadelphia-based Penn Medicine has opened its Center for Connected Care to centralize the health system’s telemedicine activities.

Roche to Pay $1.9B for Flatiron Health

Switzerland-based pharmaceutical company Roche has agreed to pay $1.9 billion to buy New York-based Flatiron Health Inc., which has both an oncology EHR and data analytics platform.