Fertility Centers of Illinois has offered to pay $450,000 to settle a lawsuit submitted on behalf of patients and staff members who were impacted by its data breach in February 2021.
On February 1, 2021, attackers acquired access to the Fertility Centers system that keeps the sensitive data of employees and patients, such as names, passport numbers, Social Security numbers, employee ID numbers, financial account, and payment data, medical record numbers, diagnoses, treatment details, billings and claims details, occupational health data, Medicare/Medicaid details, and usernames and passwords together with PINs or account login data.
The breach investigation took six months. Notification of affected persons took another four months. Affected individuals received notification letters in December 2021. The provider reported the data breach to the HHS’ Office for Civil Rights on December 27, 2021 indicating that 79,943 patients were affected. It ought to be noted that it is required by the HIPAA Breach Notification Rule to notify the HHS and impacted persons concerning breaches of protected health information (PHI) in a period of 60 days since the discovery of a security breach.
The Monegato, et al. v. Fertility Centers of Illinois PLLC lawsuit that was filed in the Circuit Court of Cook County, IL concerns the duration of issuing the notifications, claiming that Fertility Centers of Illinois unnecessarily delayed sending notifications, attempted to cover up the seriousness of the breach, and misinformed the nature of the data breach and the risk faced by impacted persons. The lawsuit additionally claims Fertility Centers of Illinois did not sufficiently secure patient records, with the claimed insufficiency of safety measures and breach notification delay that violates Illinois law.
The claimed security problems include
- the storage of protected health information (PHI) and personally identifiable information (PII) in several areas, each with varied security safety measures
- inability to sufficiently teach workers about security standards
- insufficient security procedures for securing PHI/PII
The lawsuit likewise claims an inadequate breach response that had taken 6 months to ascertain hackers accessed PHI/PII. Furthermore, the breach notification letters expressed, in bold and underlined words, that electronic medical records were not accessed while the following paragraph clearly stated that the data included in medical files were in fact accessed.
The lawsuit states that data breach victims currently face a lifetime threat of identity theft and fraud, they will keep suffering damages, such as lost time, monetary losses, anxiety, and psychological distress, and cannot regulate the use of their PHI/PII, endured a decrease in value of their PII and PHI, and have to cope with the continuing exposure of their PII and PHI. In spite of these challenges, the Fertility Centers of Illinois just offered 12-24 months of identity theft protection services.
Fertility Centers of Illinois did not admit any wrongdoing and opted to resolve the lawsuit to prevent additional legal expenses and the uncertainty of trial. Based on the settlement terms, persons impacted are eligible to file a claim for as much as $450 for ordinary losses like out-of-pocket costs incurred due to the data breach, and compensation for around four hours of lost time at $20 an hour. Claims as much as $5,000 are allowed for documented extraordinary losses suffered from February 1, 2021 to June 5, 2023, that aren’t paid under ordinary losses. The settlement amount is limited to $450,000 and claims shall be paid pro rata in case that amount is arrived at. Additionally, all impacted people can claim an extra 24 months of credit monitoring services (using Pango) from the date the settlement took effect.