In relation to September 2019 ransomware attack on Ferguson Medical Group (FMG), a $350,000 settlement has been reached between Saint Francis Healthcare System and patients impacted by the attack.
FMG was purchased by Saint Francis after a cyberattack resulted in many important records being inaccessible. They tried to retrieve all impacted records via backups, though some were could no be rescued. These files included medical records from patients who attended for treatment between Sept 20, 2018 and December 31, 2018.
The breach impacted approximately 107,000 patients who were then offered free membership to credit monitoring services as a precautionary step. Saint Francis Healthcare had a class action lawsuit filed against them in January of this year in the US District Court of Eastern Missouri. The legal action claims that the company was negligent and allowed a breach of the Missouri Merchandise Practices Act. Some 90,000 of the affected patients added their name to this class action.
Credit monitoring services had been offered to those who were impacted by the breach. In the legal action the plaintiffs asked for compensation for costs incurred as a consequence of the data breach and to pay for the legal costs of the action. The lawsuit also stated that Saint Francis Healthcare must add multiple safeguards to increase their data security provisions.
A motion to dismiss the lawsuit was submitted in by Saint Franco Healthcare in March 2020, claiming that the plaintiffs failed to state a plausible cause for relief. The plaintiffs claimed that the motion to dismiss lacked plausibility. However, if the case were allowed to progress to trial the outcome could have been unpredictable and, as a result, both parties agreed to handle this outside of court.
The settlement proposed that all plaintiffs be given a maximum of $280 to cover expenses caused by the breach and additional credit monitoring services with compensation for time protecting identities. Saint Francis also agreed to do their utmost to bolster the security provisions that they have in place. These enhancement includes implementing firewalls , password authentication and geo-blocking for traffic.
The settlement is now up for final approval from a judge and this is scheduled for November 17 in a conference with District Judge Stephen R. Clark of the District Court of Eastern Missouri.