The Medibase Group Inc. and Staten Island University Hospital: Staten Island University Hospital Settles Lawsuit Over Business Associate Data Breach

Staten Island University Hospital Settles Class Action Over 2024 Business Associate Data Breach

Staten Island University Hospital (SIUH) has reached a settlement in a class action lawsuit stemming from a January 2024 data breach at The Medibase Group Inc., one of its business associates. The vendor, which provides healthcare solutions and technical support, notified SIUH on May 8, 2024, that an unauthorized third party had accessed systems containing the protected health information of 35,106 individuals. Compromised data included names, Social Security numbers, dates of birth, medical records, and health insurance details. Affected individuals were notified by mail on July 5, 2024.

The lawsuit, Santiago et al. v. Staten Island University Hospital, was filed in Georgia’s Superior Court of Cherokee County by plaintiffs Belle De Santiago and Elena Girenko. It alleged that SIUH failed to implement adequate security measures to safeguard patient data, citing claims of negligence, breach of implied contract, and unjust enrichment. While SIUH denied any wrongdoing, it agreed to settle to avoid prolonged litigation costs and operational disruptions.

Under the settlement, class members may claim two years of medical data monitoring, including a $1 million identity theft insurance policy. Compensation options include up to $1,000 for documented out-of-pocket losses or a $35 flat cash payment. The deadlines for opting out and submitting claims are March 2, 2026, and March 16, 2026, respectively, with a final fairness hearing scheduled for March 31, 2026.

Source: https://www.hipaajournal.com/staten-island-university-hospital-data-breach-settlement/

Staten Island University Hospital cybersecurity rating report: https://www.rankiteo.com/company/staten-island-university-hospital

The Medibase Group Inc cybersecurity rating report: https://www.rankiteo.com/company/the-medibase-group-inc

"id": "STATHE1770739062",
"linkid": "staten-island-university-hospital, the-medibase-group-inc",
"type": "Breach",
"date": "5/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'customers_affected': '35,106 individuals',
                        'industry': 'Healthcare',
                        'location': 'Staten Island, New York, USA',
                        'name': 'Staten Island University Hospital',
                        'type': 'Healthcare Provider'},
                       {'customers_affected': '35,106 individuals',
                        'industry': 'Healthcare Solutions/Technical Support',
                        'name': 'The Medibase Group Inc.',
                        'type': 'Business Associate (Vendor)'}],
 'customer_advisories': 'Notification by mail to affected individuals on July '
                        '5, 2024',
 'data_breach': {'number_of_records_exposed': '35,106',
                 'personally_identifiable_information': 'Yes',
                 'sensitivity_of_data': 'High (PHI and PII)',
                 'type_of_data_compromised': ['Names',
                                              'Social Security numbers',
                                              'Dates of birth',
                                              'Medical records',
                                              'Health insurance details']},
 'date_detected': '2024-05-08',
 'date_publicly_disclosed': '2024-07-05',
 'description': 'Staten Island University Hospital (SIUH) settled a class '
                'action lawsuit stemming from a January 2024 data breach at '
                'The Medibase Group Inc., a business associate. The breach '
                'exposed protected health information of 35,106 individuals, '
                'including names, Social Security numbers, dates of birth, '
                'medical records, and health insurance details.',
 'impact': {'brand_reputation_impact': 'Lawsuit and settlement',
            'data_compromised': 'Protected health information (PHI)',
            'identity_theft_risk': 'High (Social Security numbers and medical '
                                   'records exposed)',
            'legal_liabilities': 'Class action lawsuit settlement'},
 'investigation_status': 'Settled',
 'post_incident_analysis': {'corrective_actions': 'Settlement includes two '
                                                  'years of medical data '
                                                  'monitoring and identity '
                                                  'theft insurance for '
                                                  'affected individuals',
                            'root_causes': 'Alleged failure to implement '
                                           'adequate security measures by SIUH '
                                           'and The Medibase Group Inc.'},
 'references': [{'source': 'Class action lawsuit settlement announcement'}],
 'regulatory_compliance': {'legal_actions': 'Class action lawsuit (*Santiago '
                                            'et al. v. Staten Island '
                                            'University Hospital*)',
                           'regulations_violated': ['HIPAA']},
 'response': {'communication_strategy': 'Notification by mail to affected '
                                        'individuals'},
 'threat_actor': 'Unauthorized third party',
 'title': 'Staten Island University Hospital Business Associate Data Breach',
 'type': 'Data Breach'}