Skip to main content
close search
site logo
Dive Brief

Indiana hospital settles suit over 2021 data breach, will pay $250K

The state alleged the hospital knew about security issues before the attack and failed to directly notify patients for more than 200 days.

Published Sept. 11, 2023
Emily Olsen's headshot
Reporter
A series of hexagonal blocks with locks on them, one of which is broken, with a red background.
Andrii Yalanskyi via Getty Images
This audio is auto-generated. Please let us know if you have feedback.

Dive Brief:

  • Seymour, Indiana-based Schneck Medical Center has reached a $250,000 settlement with the state after regulators sued the hospital over a 2021 data breach that exposed the personal health information of nearly 90,000 residents.
  • Indiana alleged the hospital knew about “critical security issues” before the breach, according to the lawsuit. It also argued Schneck failed to directly notify patients for more than 200 days after the hospital first discovered the breach, and didn’t immediately disclose the risk of exposure of personal health information or encourage patients to take precautions.
  • The medical center said it is making “numerous efforts” to bolster existing safeguards and introduce additional measures to prevent future attacks in a statement shared with Healthcare Dive.

Dive Insight:

Schneck, which serves four counties in southeast Indiana, was hit by a ransomware attack in late September 2021, according to the state’s lawsuit. The attack exposed personal health information that included full names, addresses, dates of birth, Social Security numbers, driver’s license numbers, financial account information, payment card information, medical diagnoses and health insurance information.

The state alleged that the medical center knew about security issues that contributed to the breach after a HIPAA risk analysis was completed in late 2020, yet the center had still “knowingly failed to implement and maintain reasonable security practices” to protect patients’ personal data.

Indiana also said Schneck didn’t disclose that the breach involved personal health information or directly notify patients until May 2022 — more than 200 days after the hospital first discovered the breach in November.

The hospital also misrepresented when it discovered the breach in the notice posted in May, saying that it found the breach in March 2022, the state alleged.

Data breaches have become increasingly common in the healthcare sector over the past decade, exposing 385 million patient records from 2010 to 2022, according to federal records. 

The industry is particularly vulnerable to cyberattacks due to high-value data alongside weaker threat mitigation, made worse by burnout and staff shortages that increased during the COVID-19 pandemic.

Ransomware, where criminals demand payment in exchange for returned access to critical systems, is a serious risk for health systems and patients, as they can disrupt care and shut down facilities. 

Editors' picks

Company Announcements

View all | Post a press release
Healthworx partners with Highmark Inc, LifeBridge Health for new accelerator program
From Healthworx
July 30, 2024
MindMetrix Launches Comprehensive Mental Health Assessment Tool for Hospitals, Practices, and …
From MindMetrix
August 08, 2024
Catalyst Solutions to lead the Medicaid Modernization Panel at MESC24 on State of Florida's Mo…
From Catalyst Solutions
August 02, 2024
Wiley to Expand Reach and Impact of Medical Education Programs to More Than 2.8 million Health…
From Wiley
July 31, 2024
Editors' picks
Latest in Hospitals
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell