BJC Healthcare data breach class action settlement

BJC Healthcare agreed to a class action lawsuit settlement to resolve claims its poor cybersecurity led to a 2020 data breach incident.

The settlement benefits individuals who received a notice from BJC Healthcare that their information may have been compromised in a data incident March 6, 2020.

BJC Healthcare is a St. Louis-based hospital system that provides services to the greater St. Louis area, southern Illinois and southeast Missouri. According to the company’s website, the nonprofit health care organization boasts over 30,000 employees and over $6 billion in net revenue.

In May 2020, BJC Healthcare announced it was the target of a phishing cyberattack. In the data incident, three BJC employee email accounts were allegedly accessed by a third party after the employees interacted with phishing emails — emails designed to look legitimate while giving hackers access to sensitive systems.

The March 6, 2020, data breach may have compromised sensitive patient data including names, medical records, birth dates, health insurance information, Social Security numbers and driver’s license data. 

Affected consumers took legal action against BJC Healthcare, arguing the company could have prevented the data breach through reasonable cybersecurity measures. According to plaintiffs in the data breach class action lawsuit, BJC Healthcare’s negligence directly led to the cyberattack.

“BJC Healthcare owed a duty to Plaintiffs and Class members to implement and maintain reasonable and adequate security measures to secure, protect, and safeguard their [personal health information/personal identifying information (PHI/PII)] against unauthorized access and disclosure,” the data breach class action lawsuit contends.

“BJC Healthcare breached that duty by, among other things, failing to implement and maintain reasonable security procedures and practices to protect its patients’ PHI/PII from unauthorized access and disclosure.”

BJC Healthcare hasn’t admitted any wrongdoing but agreed to settle the case against it in a class action lawsuit settlement. The settlement total is not included in the settlement agreement.

Under the terms of the BJC data incident settlement, class members can be reimbursed for ordinary and extraordinary expenses resulting from the settlement. 

Ordinary expense reimbursement is capped at $250 per person and includes bank fees, interest, credit monitoring costs, postage, mileage and up to three hours of lost time at a rate of $20 per hour. Larger payments of $5,000 are available for extraordinary expense reimbursement, which includes documented, unreimbursed monetary losses and up to three hours of additional lost time at a rate of $20 per hour.

The settlement also provides credit monitoring to class members. Under the terms of the deal, participating class members can receive two years of credit monitoring and identity theft insurance through IDX.

In addition to providing payments and credit monitoring, BJC Healthcare agreed to make changes to its cybersecurity policies to better protect consumer data. New policies, mandatory training and an improved password policy are all included under the new cybersecurity approach. Additionally, BJC will spend an estimated $2.7 million to implement multifactor authentication for email access — reducing the risks of phishing.

The deadline for exclusion and objection is Aug. 16, 2022. 

The final approval hearing for the settlement is scheduled for Sept. 6, 2022.

In order to receive a payment from the BJC data breach class action settlement, class members must submit a valid claim form by Dec. 14, 2022.

Who’s Eligible

The settlement benefits individuals who received a notice from BJC Healthcare that their information may have been compromised in a data breach on March 6, 2020.

Potential Award

Up to $5,000

Proof of Purchase

A login and password from the notice you received will be needed to login.  If you do not have the login and password, contact the settlement administrator at 866-742-4955 or bjcdataincident@rg2claims.com in order to request that it be resent. Other documentation will be required to receive the maximum payout.

Claim Form

NOTE: If you do not qualify for this settlement do NOT file a claim.

Remember: you are submitting your claim under penalty of perjury. You are also harming other eligible Class Members by submitting a fraudulent claim. If you’re unsure if you qualify, please read the FAQ section of the Settlement Administrator’s website to ensure you meet all standards (Top Class Actions is not a Settlement Administrator). If you don’t qualify for this settlement, check out our database of other open class action settlements you may be eligible for.

Claim Form Deadline

12/14/2022

Case Name

In Re BJC Healthcare Data Breach Litigation, Case No. 2022-CC09492, in the Circuit Court of the City of St. Louis State of Missouri

Final Hearing

09/06/2022

Settlement Website

BJCDataIncindent.com

Claims Administrator

RG/2 Claims Administration LLC
c/o RG/2 Claims Administration
P.O. Box 59479
Philadelphia, PA 19102-9479
bjcdataincident@rg2claims.com
866-742-4955

Class Counsel

Ben Barnow
BARNOW AND ASSOCIATES PC

J Gerard Stranch IV
BRANSTETTER STRANCH & JENNINGS PLLC

John F Garvey
CAREY DANIS AND LOWE

Kenneth J Brennan
Tyler Schneider
TORHOERMAN LAW LLC

Aaron Zigler Esq
ZIGLER LAW GROUP

Defense Counsel

Paul G Karlsgodt
BAKER & HOSTETLER LLP

Matthew D Knepper
HUSCH BLACKWEL