Nebraska Medicine Data Breach Settlement Approved

Written by

A preliminary settlement has been reached in a lawsuit brought against Nebraska Medicine over a 2020 data security incident. 

Omaha-based Nebraska Medicine suffered a cyber-attack in September 2020. The attack disrupted the healthcare provider's information technology system, leading to the postponement of patient appointments. 

Staff in the system’s hospitals and clinics had to chart by hand, and access to Nebraska Medicine's patient portal and to patients' electronic health records was impacted. 

An investigation into the incident revealed that an unauthorized party used malware to gain access to Nebraska Medicine and University of Nebraska Medical Center’s shared computer network between August 27 and September 20. 

In February, Nebraska Medicine and UNMC began notifying patients and employees whose personal information may have been compromised in the attack. 

Nebraska Medicine reported the hacking incident to the Department of Health and Human Services in February 2020 as a HIPAA breach affecting nearly 216,500 individuals in Nebraska and in other states.

Data exposed in the incident included names, addresses, health insurance details, clinical information, Social Security numbers, and driver's license numbers.  

A limited number of patients seen at Faith Regional Health Services in Norfolk, Great Plains Health in North Platte, and Mary Lanning Healthcare in Hastings, and whose information was in the Nebraska Medicine/UNMC network, were also impacted by the data breach. 

A class-action lawsuit was filed against Nebraska Medicine in February, citing the exfiltration of sensitive personal data and medical records of tens of thousands of individuals.

A judge for the US District Court of Nebraska has approved a proposed suit settlement that would make all class members who submit a valid claim by a currently unspecified deadline eligible for a reimbursement of up to $300 cash for time and money spent on dealing with the breach.

Claimants who can show documented proof of "extraordinary monetary losses" that were "more than likely" incurred because of the data breach can claim up to $3,000 for an extra year of credit monitoring.

The preliminary settlement provides benefits to only around 126,000 individuals who were notified of the data breach through the mail, including nearly 13,500 who were informed that their Social Security number and/or driver’s license number may have been compromised in the incident.

What’s hot on Infosecurity Magazine?