Oak Valley Hospital faced a lawsuit due to a security incident 2023 wherein patient data was accessed without authorization. The hospital discovered the breach on July 18, 2023, but the attackers initially acquired access to its system 3 months earlier on April 21, 2023. Data likely stolen contained names, medical insurance details, Social Security numbers, and data concerning the care given at Oak Valley Hospital. Based on the breach notice submitted to the HHS Office for Civil Rights, 284,629 people were impacted.
Patient Kathryn Rohrer filed a lawsuit – Rohrer, et al. v. Oak Valley Hospital District d/b/a Oak Valley Hospital – associated with the data breach. Allegedly, the hospital failed to carry out reasonable and proper cybersecurity procedures. The plaintiff and class members claimed they encountered a greater risk of identity theft and fraud because of the data breach.
The lawsuit claimed breach of implied contract, negligence, breach of fiduciary duty, unjust enrichment, privacy violation, declaratory judgment, and violations of the California Customer Records Act, California Unfair Competition Law, the California Confidentiality of Medical Information Act, and the California Consumer Privacy Act.
Oak Valley Hospital decided to resolve the lawsuit without admitting wrongdoing. As per the conditions of the settlement, class members can claim as much as $5,000 for recorded out-of-pocket expenditures, which include up to 3 hours of lost time valued at $30 every hour, as well as a $100 residual cash payment, which may be higher or lower according to the amount of funds and number of claims. Oak Valley Hospital additionally consented to spend money on more safety measures, which likely include HIPAA training.
The court already gave preliminary approval of the settlement and the claims can be filed until November 19, 2024. The schedule of the final approval hearing is on December 19, 2024.