BJC Healthcare Resolves Data Breach Legal action Due to 2020 Phishing Attack

BJC HealthCare consented to negotiate a class action lawsuit to take care of claims it was unable to sufficiently secure patient information from phishing attacks. On May 5, 2020, the not-for-profit hospital system located in St. Louis announced an email system breach that impacted 287,876 people. The investigation confirmed the breach of three email accounts in March 2020 after responding to phishing email messages. Though data theft can’t be confirmed, the affected email accounts held the protected health information (PHI) of patients of 19 of its medical centers. The types of data possibly exposed comprise names, dates of birth, medical insurance details, driver’s license, Social Security numbers, and healthcare information.

The legal case, submitted in the Circuit Court of the City of St. Louis State of Missouri, at the beginning involved 10 counts against the defendants and passed two motions to dismiss, with the lawsuit granted to move forward with 8 out of the 10 counts:

  • negligence
  • negligence per se
  • unjust enrichment
  • breach of contract
  • breach of the covenant of good faith and fair dealing
  • violations of the Missouri Merchandising Practicing Act (MMPA) and Illinois Consumer Fraud and Deceptive Business Practices Act (ICFA)
  • vicarious liability

BJC HealthCare decided to negotiate the lawsuit without admitting responsibility or wrongdoing. Based on the stipulations of the settlement, BJC HealthCare is going to create funding to cover claims of impacted persons up to as much as $5,000. All persons affected may file a claim for ordinary and extraordinary costs accrued because of the data breach.

Claims could be sent for ordinary expenditures for instance bank charges, interest, credit tracking fees, mileage, postage, and as much as 3 hours of lost time at $20 for each hour. Ordinary claims are restricted to $250 for every person. Claims of around $5,000 may be submitted for extraordinary costs, which include documented monetary losses and around three hours of extra lost time at $20 for each hour. BJC Healthcare has likewise decided to pay for the expense of two years of credit checking and identity theft protection services. Identified plaintiffs will acquire approximately $2,000 and BJC HealthCare will cover the plaintiffs’ legal expenditures. BJC HealthCare has allocated $2.7 million to pay for the price of employing multi-factor authentication for its email accounts to boost protection versus phishing attacks.

Claims need to be filed by Dec. 14, 2022. The hearing on the final acceptance of the negotiation is set for Sept. 6, 2022.

In May 2022, BJC HealthCare announced yet another email breach to the HHS’ Office for Civil Rights. The breach was documented as impacting 500 people – a prevalent placeholder employed until the specific number of impacted persons is confirmed. The breach took place two months earlier.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at