On or around July 17, 2015, UCLA Health suffered a cyberattack that affected approximately 4.5 million individuals’ personal and health information. A week later, the Regents of the University of California were hit with a series of class action suits related to the breach. After four years of litigation, the matter is coming to a close. On June 18, 2019, the court will finally determine whether the settlement reached by the parties is fair, reasonable, and adequate. At present, the total cost of the settlement may exceed $11 million. This settlement is just one example of how a privacy incident can embroil an organization in costly litigation for years after the initial incident and underlines the benefits of implementing secure systems and procedures before an incident occurs.
The proposed settlement will require UCLA to provide two years of credit monitoring, identity theft protection, and insurance coverage for affected persons. UCLA will also set aside $2 million to settle claims for any unreimbursed losses associated with identity theft. UCLA will spend an additional $5.5 million plus any remaining balance on the $2 million claims budget towards cybersecurity enhancements for the UCLA Health Network. In total, there would be $7.5 million dollars set aside to reimburse claims and enhance security procedures. However, UCLA must also cover the up-to $3.4 million in fees and costs of the class action plaintiffs’ attorneys.