St. Joseph Health Settles Class Action Data Breach Lawsuit | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

St. Joseph Health Settles Class Action Data Breach Lawsuit

March 16, 2016
by Heather Landi
| Reprints
Click To View Gallery

Irvine, Calif.-based St. Joseph Health System has settled a class action lawsuit filed by two plaintiffs after the breach of 31,800 patient health records in 2012, as reported by the Orange County Register. The settlement, finalized last month in California Superior Court in Orange County, provides a total cash payment of $7.5 million to participating settlement class members, 31,074 plaintiffs, who will each receive roughly $241.

Healthcare Informatics obtained a copy of the court document through the webpage,, posted on the website of Kurtzman Carson Consultants (KCC), a class action settlement administrator.

The court document indicates that on February 13, 2012, St. Joseph Health System sent letters to approximately 31,802 of its patients, notifying them that it had inadvertently made their personal health information publicly accessible on the Internet, which allowed outside search engines to have access to the information. The information was accessible for a year, from February 2011 to February 2012.

“The letter stated that the type of information accessible included the following: diagnoses lists, active medication lists, lab results, medication allergies, body mass index (BMI), blood pressure, smoking status, advance directive status and demographic information, including spoken language, ethnicity, race, gender and birth date,” the court document stated.

The court documents state the in the lawsuit plaintiffs alleged that four causes of action by the health system led to the data breach: violation of the Confidentiality of Medical Information Act (CMIA); negligence; money had and received; and violation of the California Unfair Competition Law (UCL), California Business and Professionals Code, Section 17200. However, the court documents do not indicate how the patient health data become searchable on internet search engines.

And, the court documents indicates that a $3 million fund has been established to cover identity theft losses resulting from the exposure of patient health data. Each patient can apply for up to $25,000 if they suffered identity theft losses as a result of the data breach.

The court documents also indicate that St. Joseph also offered one year of identity theft and credit monitoring to 31,802 patients affected by the breach, which totaled $4.5 million. And, the health system spent $13 million to institute policies to comply with state and federal authorities and instituting numerous security-related remedial measures. And, St. Joseph also must pay $7.4 million in attorney’s fees and costs.

According to the article in the Orange County Register, the breach primarily involved patients of St. Jude Medical Center in Fullerton and Mission Hospital in Mission Viejo and Laguna Beach. But roughly one-third of the patients were treated at other St. Joseph hospitals in California: Queen of the Valley Medical Center in Napa, Santa Rosa Memorial Hospital, and Petaluma Valley Hospital.

The Orange County Register article also cited a statement released by the health system in which St. Joseph Health System leadership said they regretted “any undue concern to our patients” and said addresses, Social Security numbers and financial data were not released. The health system also said the information was removed from search engines.

“Additionally since the situation was discovered, we have invested in a number of initiatives to ensure the continued security of patient data, including enhanced data security infrastructure. These measures and more are intended to provide for the safety and security of our patients’ information,” the statement from St. Joseph Health System said, as quoted by the Orange County Register.



Former Michigan Governor to Serve as Chair of DRIVE Health

Former Michigan Governor John Engler will serve as chair of the DRIVE Health Initiative, a campaign aimed at accelerating the U.S. health system's transition to value-based care.

NJ Medical Group Launches Statewide HIE, OneHealth New Jersey

The Medical Society of New Jersey (MSNJ) recently launched OneHealth New Jersey, a statewide health information exchange (HIE) that is now live.

Survey: 70% of Providers Using Off-Premises Computing for Some Applications

A survey conducted by KLAS Research found that 70 percent of healthcare organizations have moved at least some applications or IT infrastructure off-premises.

AMIA Warns of Tax Bill’s Impact on Graduate School Programs in Informatics

Provisions in the Republican tax bill that would count graduate student tuition waivers as taxable income would have detrimental impacts on the viability of fields such as informatics, according to the American Medical Informatics Association.

Appalachia Project to Study Relationship Between Increased Broadband Access, Improved Cancer Care

The Federal Communications Commission and the National Cancer Institute have joined forces to focus on how increasing broadband access and adoption in rural areas can improve the lives of rural cancer patients.

Survey: By 2019, 60% of Medicare Revenues will be Tied to Risk

Medical groups and health systems that are members of AMGA (the American Medical Group Association) expect that nearly 60 percent of their revenues from Medicare will be from risk-based products by 2019, according to the results from a recent survey.