Skip to content

Data Breach Leads to $4.4 Million Settlement for Health Care Provider

Sea Mar Community Health Centers in Seattle, Washington agreed to pay $4.4 million to settle a class-action lawsuit arising from a data breach that exposed patients’ personally identifying information (PII) and protected health information (PHI). While the exact nature of the breach has not been reported, Sea Mar’s response to it was criticized, leading the organization to settle without admitting any wrongdoing.

Another Data Breach Leads to Million Dollar Settlement

The breach is believed to have begun around December 2020 and continued until March 2021. An individual was able to extract user names, passwords, Social Security numbers, health insurance information and diagnostic and treatment information. Sea Mar learned of the breach in June 2021 but failed to notify affected patients until October 2021. This was a violation of HIPAA rules, which require notification within 60 days of a breach, and Washington State consumer protection laws.

More than 680,000 patients were impacted by the breach. Under the terms of the settlement, impacted patients can receive up to $25,000 each for documented cases of identity theft that led to financial losses. Those who paid for lawyers, lost time at work or paid for identity theft protection as a result of the breach are eligible for up to $2,500. Everyone impacted by the breach will receive three years of credit monitoring and a one-time payment of $100.

Delayed Response Proves Costly

According to its own press release, Sea Mar learned about the breach on June 24, 2021. Instead of promptly notifying all patients, which would have satisfied HIPAA and state regulations, Sea Mar, “engaged leading, independent cybersecurity experts for assistance,” and began compiling a list of contact information for those whose information was stolen. That process, according to Sea Mar, was completed on August 30, 2021, which itself was outside of the HIPAA reporting window. Sea Mar then waited until October 29, 2021, nearly 60 days after they compiled their notification list and more than 120 days after the breach was found, to issue a statement about the breach.

The “cybersecurity experts” Sea Mar hired should have told them to report the breach immediately, instead of waiting to collect information. This is a critical mistake that we see over and over again. Some cyber security professionals do not know HIPAA rules. Others, contracted to identify the source and scope of a breach, are not focused on your communication plan.

Because Sea Mar waited, they wound up with significant financial liability. We do not know if cyber liability insurance will cover Sea Mar’s settlement, but we do know that failure to identify people affected by a data breach will void a cyber policy in some cases. We also know that any organization can find better things to do with 4 million dollars.

You Cannot Conceal a Data Breach

Some organizations believe they can limit the reputational damage from a data breach by delaying reporting or by only informing those impacted. This fails for two reasons:

  1. You must inform individuals affected by a data breach. Sooner or later, one of those people is going to the media.
  2. Any payments you make wind up on a balance sheet. The bigger the payments, the more likely someone will notice them. Investors, analysts and reporters routinely analyze financial statements for signs of unusual expenses. Expect the media to dig into your cyber security history if a data breach makes the news.

When customers find out about a breach after the fact, particularly if they were not informed about it, it doesn’t matter if they were personally impacted or not. They will cease to trust you, and a significant portion of your customer or patient base will disappear. Plus you could be on the hook for millions in settlements or restitution.

State and Federal regulations are clear on when and how to report a data breach. If you are unfamiliar with those rules, especially if you handle any kind of PHI protected by HIPAA, you need an information security consultant to help you develop practices and protocols that meet legal requirements. Federal officials, as well as some state legislatures, have signaled an intention to make the reporting requirements and financial penalties much stricter in the coming years. Start with a consultation now so that you can maintain compliance as the rules evolve, and protect yourself against financial liability.

We provide experienced support in compliance, including HIPPA compliance. Contact us online or call us at 1-800-658-8311 to speak to a cyber security expert.

Written by Robert Siciliano, CEO of Credit Parent, Head of Training & Security Awareness Expert at Protect Now, #1 Best Selling Amazon author, Media Personality & Architect of CSI Protection Certification.

CALL US: (800) 658-8311