Schneck Medical Center

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

Schneck Medical Center, located in Seymour, Indiana, experienced a significant data breach due to a ransomware attack on September 29, 2021. The breach exposed the personal health information (PHI) of nearly 90,000 residents, including full names, addresses, dates of birth, Social Security numbers, driver’s license numbers, financial account information, payment card information, medical diagnoses, and health insurance information[1][5][7].

The state of Indiana filed a lawsuit against Schneck Medical Center, alleging that the hospital was aware of critical security issues before the breach, as identified in a HIPAA risk analysis completed in late 2020. Despite this knowledge, the hospital reportedly failed to implement and maintain reasonable security practices to protect patients’ personal data[1][5]. Furthermore, the lawsuit claimed that Schneck Medical Center did not directly notify patients of the breach for more than 200 days after its discovery in November 2021 and misrepresented the date of discovery in their May 2022 notice, claiming the breach was found in March 2022[1].

In response to the incident, Schneck Medical Center faced a class action lawsuit filed on behalf of affected individuals, which contended that the hospital underplayed the severity of the breach and failed to adequately notify victims, leaving them vulnerable to identity theft[2][10]. The lawsuit sought damages and called for Schneck to implement improved security procedures and measures[2][14].

Ultimately, Schneck Medical Center reached a $250,000 settlement with the Indiana Attorney General, Todd Rokita, over the breach. As part of the settlement, the medical center agreed to bolster its existing safeguards and introduce additional measures to prevent future attacks[1][3][7]. Additionally, two class action lawsuits filed by patients were consolidated and recently settled for $1.3 million[11].

The breach at Schneck Medical Center is part of a larger trend of increasing cyberattacks and data breaches in the healthcare sector, which has been particularly vulnerable due to high-value data and weaker threat mitigation[1][8].

Citations:

  1. https://www.healthcaredive.com/news/indiana-schneck-medical-center-data-breach-settlement/693256/
  2. https://www.therepublic.com/2022/06/17/schneck-facing-class-action-lawsuit-for-data-breach/
  3. https://www.hipaajournal.com/schneck-medical-center-settles-hipaa-lawsuit-with-indiana-ag/
  4. https://www.wdrb.com/news/seymour-medical-center-falls-victim-to-hackers/article_6fb3679c-2219-11ec-a065-afa566bd9d75.html
  5. https://news.bloomberglaw.com/privacy-and-data-security/indiana-sues-schneck-medical-center-over-2021-data-breach
  6. https://www.bankinfosecurity.com/cyberattacks-disable-networks-at-2-indiana-hospitals-a-17671
  7. https://www.beckershospitalreview.com/cybersecurity/indiana-hospital-pays-250k-to-state-over-data-breach.html
  8. https://www.insideindianabusiness.com/articles/indiana-leads-the-nation-in-medical-data-breaches-report-says
  9. https://www.schnecksettlement.com
  10. https://www.therepublic.com/2022/06/16/schneck-medical-center-named-in-class-action-lawsuit-related-to-data-breach/
  11. https://www.hipaaguide.net/indiana-settles-schneck-medical-center-data-breach-lawsuit-for-250000/
  12. https://www.scmagazine.com/analysis/refuahhealth-informs-261k-patients-of-may-2021-network-data-theft
  13. https://www.schneckmed.org/blog/schneck-cyber-security-incident-statement
  14. https://tribtown.com/2022/06/17/schneck-facing-class-action-lawsuit-for-data-breach/
Breach Submission Date May 13, 2022
Converted Entity Name Schneck Medical Center
Converted Entity Type Healthcare Provider
State IN
Individuals Affected 92,311
Breach Type Hacking/IT Incident

Breach Information Location Network Server

Business Associate Present Yes