Shields Health Care Group settles breach lawsuit for $15.35M

Massachusetts-based Shields Health Care Group agreed to pay $15.35 million to settle a consolidated class action complaint over a 2022 hack and data breach that impacted more than 2 million individuals. Shields provides MRI, PET/CT, and ambulatory surgical services to patients across New England at more than 30 locations.

On March 28, 2022, Shields Health Care Group detected suspicious activity within its network. Shields later determined that an unknown actor gained access to certain systems from March 7, 2022, to March 21, 2022. The actors had acquired data, the health system confirmed.

The breach involved full names, Social Security numbers, provider information, diagnoses, billing information, medical record numbers, patient IDs, dates of birth, addresses and treatment information. Shields notified more than 50 facility partners across New England of the breach.

Several lawsuits were filed in the wake of the breach and were later consolidated into a single lawsuit. The consolidated complaint alleged that Shields' June 2022 breach notice was "untimely and woefully deficient" given that Shields detected the breach in March.

Plaintiffs asserted that Shields took part in breach of fiduciary duty, breach of confidence and invasion of privacy, and broke several state consumer protection laws. Shields denied any wrongdoing.

Upon approval, the settlement class -- which includes 2.3 million individuals nationwide, with the exception of Massachusetts residents -- will be eligible for up to $2,500 per plaintiff to cover out-of-pocket expenses incurred due to the breach. Class members can also submit a claim for up to $25,000 in extraordinary losses, such as fraud or identity theft.

The settlement agreement also noted that Shields has improved its security measures since the hack, though it did not share specific actions the organization took to shore up its security practices.

"Since the Incident, Defendant has invested significantly in remediation, cybersecurity enhancements, and expansion of its IT workforce, and has committed to maintaining those investments and measures for the foreseeable future, details of which were confidentially shared with Plaintiffs’ Counsel during settlement negotiations," the settlement agreement stated.

A judge in the U.S. District Court for the District of Massachusetts approved the agreement, which now awaits preliminary approval by the court.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.