St. Louis-based Mercy has agreed to pay $1.8 million to settle a lawsuit over a 2020 data breach.
Two plaintiffs filed the class action complaint in 2022, claiming the 30-hospital system failed to protect their privacy when a Mercy employee improperly accessed patients' personally identifiable and protected health information.
Mercy said in 2020 that the former staffer may have accessed names, addresses, dates of birth, medical record numbers, treatment and clinical information, and radiological images on "one or more" occasions. Mercy reported to HHS that 11,187 individuals were affected.
Class members are eligible for a flat payment of $90 each, or a claim for time and money spent addressing identity theft of up to $300 each, according to the March settlement. The attorneys were awarded up to $600,000, while the class representatives are eligible for up to $5,000 each. Class members have until June 10 to file a claim.
"Mercy takes patient privacy very seriously," a health system spokesperson emailed Becker's. "In 2020, we began investigating immediately upon learning that a Mercy employee accessed medical record information of patients not needed by the employee for patient care purposes. We alerted and worked with all appropriate agencies, and the employee no longer works for Mercy. We have made additional enhancements to procedures to prevent a similar issue from happening in the future."
"We have not had any reports of fraud related to the breach though, out of an abundance of caution, we notified those patients whose information was accessed and provided free credit monitoring for them," the statement continued. "The class action settlement is a resolution of litigation concerning the incident."